xref: /linux/tools/testing/selftests/bpf/test_verifier.c (revision d96fc832bcb6269d96e33d506f33033d7ed08598) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25 
26 #include <sys/capability.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33 
34 #include <bpf/bpf.h>
35 
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "../../../include/linux/filter.h"
45 
46 #ifndef ARRAY_SIZE
47 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
48 #endif
49 
50 #define MAX_INSNS	512
51 #define MAX_FIXUPS	8
52 #define MAX_NR_MAPS	4
53 #define POINTER_VALUE	0xcafe4all
54 #define TEST_DATA_LEN	64
55 
56 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
57 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
58 
59 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
60 static bool unpriv_disabled = false;
61 
62 struct bpf_test {
63 	const char *descr;
64 	struct bpf_insn	insns[MAX_INSNS];
65 	int fixup_map1[MAX_FIXUPS];
66 	int fixup_map2[MAX_FIXUPS];
67 	int fixup_prog[MAX_FIXUPS];
68 	int fixup_map_in_map[MAX_FIXUPS];
69 	const char *errstr;
70 	const char *errstr_unpriv;
71 	uint32_t retval;
72 	enum {
73 		UNDEF,
74 		ACCEPT,
75 		REJECT
76 	} result, result_unpriv;
77 	enum bpf_prog_type prog_type;
78 	uint8_t flags;
79 };
80 
81 /* Note we want this to be 64 bit aligned so that the end of our array is
82  * actually the end of the structure.
83  */
84 #define MAX_ENTRIES 11
85 
86 struct test_val {
87 	unsigned int index;
88 	int foo[MAX_ENTRIES];
89 };
90 
91 static struct bpf_test tests[] = {
92 	{
93 		"add+sub+mul",
94 		.insns = {
95 			BPF_MOV64_IMM(BPF_REG_1, 1),
96 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
97 			BPF_MOV64_IMM(BPF_REG_2, 3),
98 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
99 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
100 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
101 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
102 			BPF_EXIT_INSN(),
103 		},
104 		.result = ACCEPT,
105 		.retval = -3,
106 	},
107 	{
108 		"DIV32 by 0, zero check 1",
109 		.insns = {
110 			BPF_MOV32_IMM(BPF_REG_0, 42),
111 			BPF_MOV32_IMM(BPF_REG_1, 0),
112 			BPF_MOV32_IMM(BPF_REG_2, 1),
113 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
114 			BPF_EXIT_INSN(),
115 		},
116 		.result = ACCEPT,
117 		.retval = 42,
118 	},
119 	{
120 		"DIV32 by 0, zero check 2",
121 		.insns = {
122 			BPF_MOV32_IMM(BPF_REG_0, 42),
123 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
124 			BPF_MOV32_IMM(BPF_REG_2, 1),
125 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
126 			BPF_EXIT_INSN(),
127 		},
128 		.result = ACCEPT,
129 		.retval = 42,
130 	},
131 	{
132 		"DIV64 by 0, zero check",
133 		.insns = {
134 			BPF_MOV32_IMM(BPF_REG_0, 42),
135 			BPF_MOV32_IMM(BPF_REG_1, 0),
136 			BPF_MOV32_IMM(BPF_REG_2, 1),
137 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
138 			BPF_EXIT_INSN(),
139 		},
140 		.result = ACCEPT,
141 		.retval = 42,
142 	},
143 	{
144 		"MOD32 by 0, zero check 1",
145 		.insns = {
146 			BPF_MOV32_IMM(BPF_REG_0, 42),
147 			BPF_MOV32_IMM(BPF_REG_1, 0),
148 			BPF_MOV32_IMM(BPF_REG_2, 1),
149 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
150 			BPF_EXIT_INSN(),
151 		},
152 		.result = ACCEPT,
153 		.retval = 42,
154 	},
155 	{
156 		"MOD32 by 0, zero check 2",
157 		.insns = {
158 			BPF_MOV32_IMM(BPF_REG_0, 42),
159 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
160 			BPF_MOV32_IMM(BPF_REG_2, 1),
161 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
162 			BPF_EXIT_INSN(),
163 		},
164 		.result = ACCEPT,
165 		.retval = 42,
166 	},
167 	{
168 		"MOD64 by 0, zero check",
169 		.insns = {
170 			BPF_MOV32_IMM(BPF_REG_0, 42),
171 			BPF_MOV32_IMM(BPF_REG_1, 0),
172 			BPF_MOV32_IMM(BPF_REG_2, 1),
173 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
174 			BPF_EXIT_INSN(),
175 		},
176 		.result = ACCEPT,
177 		.retval = 42,
178 	},
179 	{
180 		"DIV32 by 0, zero check ok, cls",
181 		.insns = {
182 			BPF_MOV32_IMM(BPF_REG_0, 42),
183 			BPF_MOV32_IMM(BPF_REG_1, 2),
184 			BPF_MOV32_IMM(BPF_REG_2, 16),
185 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
186 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
187 			BPF_EXIT_INSN(),
188 		},
189 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
190 		.result = ACCEPT,
191 		.retval = 8,
192 	},
193 	{
194 		"DIV32 by 0, zero check 1, cls",
195 		.insns = {
196 			BPF_MOV32_IMM(BPF_REG_1, 0),
197 			BPF_MOV32_IMM(BPF_REG_0, 1),
198 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
199 			BPF_EXIT_INSN(),
200 		},
201 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
202 		.result = ACCEPT,
203 		.retval = 0,
204 	},
205 	{
206 		"DIV32 by 0, zero check 2, cls",
207 		.insns = {
208 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
209 			BPF_MOV32_IMM(BPF_REG_0, 1),
210 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
211 			BPF_EXIT_INSN(),
212 		},
213 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
214 		.result = ACCEPT,
215 		.retval = 0,
216 	},
217 	{
218 		"DIV64 by 0, zero check, cls",
219 		.insns = {
220 			BPF_MOV32_IMM(BPF_REG_1, 0),
221 			BPF_MOV32_IMM(BPF_REG_0, 1),
222 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
223 			BPF_EXIT_INSN(),
224 		},
225 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
226 		.result = ACCEPT,
227 		.retval = 0,
228 	},
229 	{
230 		"MOD32 by 0, zero check ok, cls",
231 		.insns = {
232 			BPF_MOV32_IMM(BPF_REG_0, 42),
233 			BPF_MOV32_IMM(BPF_REG_1, 3),
234 			BPF_MOV32_IMM(BPF_REG_2, 5),
235 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
236 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
237 			BPF_EXIT_INSN(),
238 		},
239 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
240 		.result = ACCEPT,
241 		.retval = 2,
242 	},
243 	{
244 		"MOD32 by 0, zero check 1, cls",
245 		.insns = {
246 			BPF_MOV32_IMM(BPF_REG_1, 0),
247 			BPF_MOV32_IMM(BPF_REG_0, 1),
248 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
249 			BPF_EXIT_INSN(),
250 		},
251 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
252 		.result = ACCEPT,
253 		.retval = 1,
254 	},
255 	{
256 		"MOD32 by 0, zero check 2, cls",
257 		.insns = {
258 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
259 			BPF_MOV32_IMM(BPF_REG_0, 1),
260 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
261 			BPF_EXIT_INSN(),
262 		},
263 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
264 		.result = ACCEPT,
265 		.retval = 1,
266 	},
267 	{
268 		"MOD64 by 0, zero check 1, cls",
269 		.insns = {
270 			BPF_MOV32_IMM(BPF_REG_1, 0),
271 			BPF_MOV32_IMM(BPF_REG_0, 2),
272 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
273 			BPF_EXIT_INSN(),
274 		},
275 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
276 		.result = ACCEPT,
277 		.retval = 2,
278 	},
279 	{
280 		"MOD64 by 0, zero check 2, cls",
281 		.insns = {
282 			BPF_MOV32_IMM(BPF_REG_1, 0),
283 			BPF_MOV32_IMM(BPF_REG_0, -1),
284 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
285 			BPF_EXIT_INSN(),
286 		},
287 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
288 		.result = ACCEPT,
289 		.retval = -1,
290 	},
291 	/* Just make sure that JITs used udiv/umod as otherwise we get
292 	 * an exception from INT_MIN/-1 overflow similarly as with div
293 	 * by zero.
294 	 */
295 	{
296 		"DIV32 overflow, check 1",
297 		.insns = {
298 			BPF_MOV32_IMM(BPF_REG_1, -1),
299 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
300 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
301 			BPF_EXIT_INSN(),
302 		},
303 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
304 		.result = ACCEPT,
305 		.retval = 0,
306 	},
307 	{
308 		"DIV32 overflow, check 2",
309 		.insns = {
310 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
311 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
312 			BPF_EXIT_INSN(),
313 		},
314 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 		.result = ACCEPT,
316 		.retval = 0,
317 	},
318 	{
319 		"DIV64 overflow, check 1",
320 		.insns = {
321 			BPF_MOV64_IMM(BPF_REG_1, -1),
322 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
323 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324 			BPF_EXIT_INSN(),
325 		},
326 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
327 		.result = ACCEPT,
328 		.retval = 0,
329 	},
330 	{
331 		"DIV64 overflow, check 2",
332 		.insns = {
333 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
334 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
335 			BPF_EXIT_INSN(),
336 		},
337 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
338 		.result = ACCEPT,
339 		.retval = 0,
340 	},
341 	{
342 		"MOD32 overflow, check 1",
343 		.insns = {
344 			BPF_MOV32_IMM(BPF_REG_1, -1),
345 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
346 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
347 			BPF_EXIT_INSN(),
348 		},
349 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
350 		.result = ACCEPT,
351 		.retval = INT_MIN,
352 	},
353 	{
354 		"MOD32 overflow, check 2",
355 		.insns = {
356 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
357 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
358 			BPF_EXIT_INSN(),
359 		},
360 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
361 		.result = ACCEPT,
362 		.retval = INT_MIN,
363 	},
364 	{
365 		"MOD64 overflow, check 1",
366 		.insns = {
367 			BPF_MOV64_IMM(BPF_REG_1, -1),
368 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
369 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
370 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
371 			BPF_MOV32_IMM(BPF_REG_0, 0),
372 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
373 			BPF_MOV32_IMM(BPF_REG_0, 1),
374 			BPF_EXIT_INSN(),
375 		},
376 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 		.result = ACCEPT,
378 		.retval = 1,
379 	},
380 	{
381 		"MOD64 overflow, check 2",
382 		.insns = {
383 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
384 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
385 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
386 			BPF_MOV32_IMM(BPF_REG_0, 0),
387 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
388 			BPF_MOV32_IMM(BPF_REG_0, 1),
389 			BPF_EXIT_INSN(),
390 		},
391 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
392 		.result = ACCEPT,
393 		.retval = 1,
394 	},
395 	{
396 		"xor32 zero extend check",
397 		.insns = {
398 			BPF_MOV32_IMM(BPF_REG_2, -1),
399 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
400 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
401 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
402 			BPF_MOV32_IMM(BPF_REG_0, 2),
403 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
404 			BPF_MOV32_IMM(BPF_REG_0, 1),
405 			BPF_EXIT_INSN(),
406 		},
407 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
408 		.result = ACCEPT,
409 		.retval = 1,
410 	},
411 	{
412 		"empty prog",
413 		.insns = {
414 		},
415 		.errstr = "unknown opcode 00",
416 		.result = REJECT,
417 	},
418 	{
419 		"only exit insn",
420 		.insns = {
421 			BPF_EXIT_INSN(),
422 		},
423 		.errstr = "R0 !read_ok",
424 		.result = REJECT,
425 	},
426 	{
427 		"unreachable",
428 		.insns = {
429 			BPF_EXIT_INSN(),
430 			BPF_EXIT_INSN(),
431 		},
432 		.errstr = "unreachable",
433 		.result = REJECT,
434 	},
435 	{
436 		"unreachable2",
437 		.insns = {
438 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
439 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
440 			BPF_EXIT_INSN(),
441 		},
442 		.errstr = "unreachable",
443 		.result = REJECT,
444 	},
445 	{
446 		"out of range jump",
447 		.insns = {
448 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
449 			BPF_EXIT_INSN(),
450 		},
451 		.errstr = "jump out of range",
452 		.result = REJECT,
453 	},
454 	{
455 		"out of range jump2",
456 		.insns = {
457 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
458 			BPF_EXIT_INSN(),
459 		},
460 		.errstr = "jump out of range",
461 		.result = REJECT,
462 	},
463 	{
464 		"test1 ld_imm64",
465 		.insns = {
466 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
467 			BPF_LD_IMM64(BPF_REG_0, 0),
468 			BPF_LD_IMM64(BPF_REG_0, 0),
469 			BPF_LD_IMM64(BPF_REG_0, 1),
470 			BPF_LD_IMM64(BPF_REG_0, 1),
471 			BPF_MOV64_IMM(BPF_REG_0, 2),
472 			BPF_EXIT_INSN(),
473 		},
474 		.errstr = "invalid BPF_LD_IMM insn",
475 		.errstr_unpriv = "R1 pointer comparison",
476 		.result = REJECT,
477 	},
478 	{
479 		"test2 ld_imm64",
480 		.insns = {
481 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
482 			BPF_LD_IMM64(BPF_REG_0, 0),
483 			BPF_LD_IMM64(BPF_REG_0, 0),
484 			BPF_LD_IMM64(BPF_REG_0, 1),
485 			BPF_LD_IMM64(BPF_REG_0, 1),
486 			BPF_EXIT_INSN(),
487 		},
488 		.errstr = "invalid BPF_LD_IMM insn",
489 		.errstr_unpriv = "R1 pointer comparison",
490 		.result = REJECT,
491 	},
492 	{
493 		"test3 ld_imm64",
494 		.insns = {
495 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
496 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
497 			BPF_LD_IMM64(BPF_REG_0, 0),
498 			BPF_LD_IMM64(BPF_REG_0, 0),
499 			BPF_LD_IMM64(BPF_REG_0, 1),
500 			BPF_LD_IMM64(BPF_REG_0, 1),
501 			BPF_EXIT_INSN(),
502 		},
503 		.errstr = "invalid bpf_ld_imm64 insn",
504 		.result = REJECT,
505 	},
506 	{
507 		"test4 ld_imm64",
508 		.insns = {
509 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
510 			BPF_EXIT_INSN(),
511 		},
512 		.errstr = "invalid bpf_ld_imm64 insn",
513 		.result = REJECT,
514 	},
515 	{
516 		"test5 ld_imm64",
517 		.insns = {
518 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
519 		},
520 		.errstr = "invalid bpf_ld_imm64 insn",
521 		.result = REJECT,
522 	},
523 	{
524 		"test6 ld_imm64",
525 		.insns = {
526 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
527 			BPF_RAW_INSN(0, 0, 0, 0, 0),
528 			BPF_EXIT_INSN(),
529 		},
530 		.result = ACCEPT,
531 	},
532 	{
533 		"test7 ld_imm64",
534 		.insns = {
535 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
536 			BPF_RAW_INSN(0, 0, 0, 0, 1),
537 			BPF_EXIT_INSN(),
538 		},
539 		.result = ACCEPT,
540 		.retval = 1,
541 	},
542 	{
543 		"test8 ld_imm64",
544 		.insns = {
545 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
546 			BPF_RAW_INSN(0, 0, 0, 0, 1),
547 			BPF_EXIT_INSN(),
548 		},
549 		.errstr = "uses reserved fields",
550 		.result = REJECT,
551 	},
552 	{
553 		"test9 ld_imm64",
554 		.insns = {
555 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
556 			BPF_RAW_INSN(0, 0, 0, 1, 1),
557 			BPF_EXIT_INSN(),
558 		},
559 		.errstr = "invalid bpf_ld_imm64 insn",
560 		.result = REJECT,
561 	},
562 	{
563 		"test10 ld_imm64",
564 		.insns = {
565 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
566 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
567 			BPF_EXIT_INSN(),
568 		},
569 		.errstr = "invalid bpf_ld_imm64 insn",
570 		.result = REJECT,
571 	},
572 	{
573 		"test11 ld_imm64",
574 		.insns = {
575 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
576 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
577 			BPF_EXIT_INSN(),
578 		},
579 		.errstr = "invalid bpf_ld_imm64 insn",
580 		.result = REJECT,
581 	},
582 	{
583 		"test12 ld_imm64",
584 		.insns = {
585 			BPF_MOV64_IMM(BPF_REG_1, 0),
586 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
587 			BPF_RAW_INSN(0, 0, 0, 0, 1),
588 			BPF_EXIT_INSN(),
589 		},
590 		.errstr = "not pointing to valid bpf_map",
591 		.result = REJECT,
592 	},
593 	{
594 		"test13 ld_imm64",
595 		.insns = {
596 			BPF_MOV64_IMM(BPF_REG_1, 0),
597 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
598 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
599 			BPF_EXIT_INSN(),
600 		},
601 		.errstr = "invalid bpf_ld_imm64 insn",
602 		.result = REJECT,
603 	},
604 	{
605 		"arsh32 on imm",
606 		.insns = {
607 			BPF_MOV64_IMM(BPF_REG_0, 1),
608 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
609 			BPF_EXIT_INSN(),
610 		},
611 		.result = REJECT,
612 		.errstr = "unknown opcode c4",
613 	},
614 	{
615 		"arsh32 on reg",
616 		.insns = {
617 			BPF_MOV64_IMM(BPF_REG_0, 1),
618 			BPF_MOV64_IMM(BPF_REG_1, 5),
619 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
620 			BPF_EXIT_INSN(),
621 		},
622 		.result = REJECT,
623 		.errstr = "unknown opcode cc",
624 	},
625 	{
626 		"arsh64 on imm",
627 		.insns = {
628 			BPF_MOV64_IMM(BPF_REG_0, 1),
629 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
630 			BPF_EXIT_INSN(),
631 		},
632 		.result = ACCEPT,
633 	},
634 	{
635 		"arsh64 on reg",
636 		.insns = {
637 			BPF_MOV64_IMM(BPF_REG_0, 1),
638 			BPF_MOV64_IMM(BPF_REG_1, 5),
639 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
640 			BPF_EXIT_INSN(),
641 		},
642 		.result = ACCEPT,
643 	},
644 	{
645 		"no bpf_exit",
646 		.insns = {
647 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
648 		},
649 		.errstr = "not an exit",
650 		.result = REJECT,
651 	},
652 	{
653 		"loop (back-edge)",
654 		.insns = {
655 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
656 			BPF_EXIT_INSN(),
657 		},
658 		.errstr = "back-edge",
659 		.result = REJECT,
660 	},
661 	{
662 		"loop2 (back-edge)",
663 		.insns = {
664 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
665 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
666 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
667 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
668 			BPF_EXIT_INSN(),
669 		},
670 		.errstr = "back-edge",
671 		.result = REJECT,
672 	},
673 	{
674 		"conditional loop",
675 		.insns = {
676 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
677 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
678 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
679 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
680 			BPF_EXIT_INSN(),
681 		},
682 		.errstr = "back-edge",
683 		.result = REJECT,
684 	},
685 	{
686 		"read uninitialized register",
687 		.insns = {
688 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
689 			BPF_EXIT_INSN(),
690 		},
691 		.errstr = "R2 !read_ok",
692 		.result = REJECT,
693 	},
694 	{
695 		"read invalid register",
696 		.insns = {
697 			BPF_MOV64_REG(BPF_REG_0, -1),
698 			BPF_EXIT_INSN(),
699 		},
700 		.errstr = "R15 is invalid",
701 		.result = REJECT,
702 	},
703 	{
704 		"program doesn't init R0 before exit",
705 		.insns = {
706 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
707 			BPF_EXIT_INSN(),
708 		},
709 		.errstr = "R0 !read_ok",
710 		.result = REJECT,
711 	},
712 	{
713 		"program doesn't init R0 before exit in all branches",
714 		.insns = {
715 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
716 			BPF_MOV64_IMM(BPF_REG_0, 1),
717 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
718 			BPF_EXIT_INSN(),
719 		},
720 		.errstr = "R0 !read_ok",
721 		.errstr_unpriv = "R1 pointer comparison",
722 		.result = REJECT,
723 	},
724 	{
725 		"stack out of bounds",
726 		.insns = {
727 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
728 			BPF_EXIT_INSN(),
729 		},
730 		.errstr = "invalid stack",
731 		.result = REJECT,
732 	},
733 	{
734 		"invalid call insn1",
735 		.insns = {
736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
737 			BPF_EXIT_INSN(),
738 		},
739 		.errstr = "unknown opcode 8d",
740 		.result = REJECT,
741 	},
742 	{
743 		"invalid call insn2",
744 		.insns = {
745 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
746 			BPF_EXIT_INSN(),
747 		},
748 		.errstr = "BPF_CALL uses reserved",
749 		.result = REJECT,
750 	},
751 	{
752 		"invalid function call",
753 		.insns = {
754 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
755 			BPF_EXIT_INSN(),
756 		},
757 		.errstr = "invalid func unknown#1234567",
758 		.result = REJECT,
759 	},
760 	{
761 		"uninitialized stack1",
762 		.insns = {
763 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
764 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
765 			BPF_LD_MAP_FD(BPF_REG_1, 0),
766 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
767 				     BPF_FUNC_map_lookup_elem),
768 			BPF_EXIT_INSN(),
769 		},
770 		.fixup_map1 = { 2 },
771 		.errstr = "invalid indirect read from stack",
772 		.result = REJECT,
773 	},
774 	{
775 		"uninitialized stack2",
776 		.insns = {
777 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
778 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
779 			BPF_EXIT_INSN(),
780 		},
781 		.errstr = "invalid read from stack",
782 		.result = REJECT,
783 	},
784 	{
785 		"invalid fp arithmetic",
786 		/* If this gets ever changed, make sure JITs can deal with it. */
787 		.insns = {
788 			BPF_MOV64_IMM(BPF_REG_0, 0),
789 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
790 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
791 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
792 			BPF_EXIT_INSN(),
793 		},
794 		.errstr = "R1 subtraction from stack pointer",
795 		.result = REJECT,
796 	},
797 	{
798 		"non-invalid fp arithmetic",
799 		.insns = {
800 			BPF_MOV64_IMM(BPF_REG_0, 0),
801 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
802 			BPF_EXIT_INSN(),
803 		},
804 		.result = ACCEPT,
805 	},
806 	{
807 		"invalid argument register",
808 		.insns = {
809 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
810 				     BPF_FUNC_get_cgroup_classid),
811 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
812 				     BPF_FUNC_get_cgroup_classid),
813 			BPF_EXIT_INSN(),
814 		},
815 		.errstr = "R1 !read_ok",
816 		.result = REJECT,
817 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
818 	},
819 	{
820 		"non-invalid argument register",
821 		.insns = {
822 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
823 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
824 				     BPF_FUNC_get_cgroup_classid),
825 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
826 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
827 				     BPF_FUNC_get_cgroup_classid),
828 			BPF_EXIT_INSN(),
829 		},
830 		.result = ACCEPT,
831 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
832 	},
833 	{
834 		"check valid spill/fill",
835 		.insns = {
836 			/* spill R1(ctx) into stack */
837 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
838 			/* fill it back into R2 */
839 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
840 			/* should be able to access R0 = *(R2 + 8) */
841 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
842 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
843 			BPF_EXIT_INSN(),
844 		},
845 		.errstr_unpriv = "R0 leaks addr",
846 		.result = ACCEPT,
847 		.result_unpriv = REJECT,
848 		.retval = POINTER_VALUE,
849 	},
850 	{
851 		"check valid spill/fill, skb mark",
852 		.insns = {
853 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
854 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
855 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
856 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
857 				    offsetof(struct __sk_buff, mark)),
858 			BPF_EXIT_INSN(),
859 		},
860 		.result = ACCEPT,
861 		.result_unpriv = ACCEPT,
862 	},
863 	{
864 		"check corrupted spill/fill",
865 		.insns = {
866 			/* spill R1(ctx) into stack */
867 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
868 			/* mess up with R1 pointer on stack */
869 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
870 			/* fill back into R0 should fail */
871 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
872 			BPF_EXIT_INSN(),
873 		},
874 		.errstr_unpriv = "attempt to corrupt spilled",
875 		.errstr = "corrupted spill",
876 		.result = REJECT,
877 	},
878 	{
879 		"invalid src register in STX",
880 		.insns = {
881 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
882 			BPF_EXIT_INSN(),
883 		},
884 		.errstr = "R15 is invalid",
885 		.result = REJECT,
886 	},
887 	{
888 		"invalid dst register in STX",
889 		.insns = {
890 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
891 			BPF_EXIT_INSN(),
892 		},
893 		.errstr = "R14 is invalid",
894 		.result = REJECT,
895 	},
896 	{
897 		"invalid dst register in ST",
898 		.insns = {
899 			BPF_ST_MEM(BPF_B, 14, -1, -1),
900 			BPF_EXIT_INSN(),
901 		},
902 		.errstr = "R14 is invalid",
903 		.result = REJECT,
904 	},
905 	{
906 		"invalid src register in LDX",
907 		.insns = {
908 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
909 			BPF_EXIT_INSN(),
910 		},
911 		.errstr = "R12 is invalid",
912 		.result = REJECT,
913 	},
914 	{
915 		"invalid dst register in LDX",
916 		.insns = {
917 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
918 			BPF_EXIT_INSN(),
919 		},
920 		.errstr = "R11 is invalid",
921 		.result = REJECT,
922 	},
923 	{
924 		"junk insn",
925 		.insns = {
926 			BPF_RAW_INSN(0, 0, 0, 0, 0),
927 			BPF_EXIT_INSN(),
928 		},
929 		.errstr = "unknown opcode 00",
930 		.result = REJECT,
931 	},
932 	{
933 		"junk insn2",
934 		.insns = {
935 			BPF_RAW_INSN(1, 0, 0, 0, 0),
936 			BPF_EXIT_INSN(),
937 		},
938 		.errstr = "BPF_LDX uses reserved fields",
939 		.result = REJECT,
940 	},
941 	{
942 		"junk insn3",
943 		.insns = {
944 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
945 			BPF_EXIT_INSN(),
946 		},
947 		.errstr = "unknown opcode ff",
948 		.result = REJECT,
949 	},
950 	{
951 		"junk insn4",
952 		.insns = {
953 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
954 			BPF_EXIT_INSN(),
955 		},
956 		.errstr = "unknown opcode ff",
957 		.result = REJECT,
958 	},
959 	{
960 		"junk insn5",
961 		.insns = {
962 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
963 			BPF_EXIT_INSN(),
964 		},
965 		.errstr = "BPF_ALU uses reserved fields",
966 		.result = REJECT,
967 	},
968 	{
969 		"misaligned read from stack",
970 		.insns = {
971 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
972 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
973 			BPF_EXIT_INSN(),
974 		},
975 		.errstr = "misaligned stack access",
976 		.result = REJECT,
977 	},
978 	{
979 		"invalid map_fd for function call",
980 		.insns = {
981 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
982 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
984 			BPF_LD_MAP_FD(BPF_REG_1, 0),
985 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
986 				     BPF_FUNC_map_delete_elem),
987 			BPF_EXIT_INSN(),
988 		},
989 		.errstr = "fd 0 is not pointing to valid bpf_map",
990 		.result = REJECT,
991 	},
992 	{
993 		"don't check return value before access",
994 		.insns = {
995 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
996 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
997 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
998 			BPF_LD_MAP_FD(BPF_REG_1, 0),
999 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1000 				     BPF_FUNC_map_lookup_elem),
1001 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1002 			BPF_EXIT_INSN(),
1003 		},
1004 		.fixup_map1 = { 3 },
1005 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1006 		.result = REJECT,
1007 	},
1008 	{
1009 		"access memory with incorrect alignment",
1010 		.insns = {
1011 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1012 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1014 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1015 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1016 				     BPF_FUNC_map_lookup_elem),
1017 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1018 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1019 			BPF_EXIT_INSN(),
1020 		},
1021 		.fixup_map1 = { 3 },
1022 		.errstr = "misaligned value access",
1023 		.result = REJECT,
1024 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1025 	},
1026 	{
1027 		"sometimes access memory with incorrect alignment",
1028 		.insns = {
1029 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1030 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1032 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1033 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1034 				     BPF_FUNC_map_lookup_elem),
1035 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1036 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1037 			BPF_EXIT_INSN(),
1038 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1039 			BPF_EXIT_INSN(),
1040 		},
1041 		.fixup_map1 = { 3 },
1042 		.errstr = "R0 invalid mem access",
1043 		.errstr_unpriv = "R0 leaks addr",
1044 		.result = REJECT,
1045 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1046 	},
1047 	{
1048 		"jump test 1",
1049 		.insns = {
1050 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1051 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1052 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1053 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1054 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1055 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1056 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1057 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1058 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1059 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1060 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1061 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1062 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1063 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1064 			BPF_MOV64_IMM(BPF_REG_0, 0),
1065 			BPF_EXIT_INSN(),
1066 		},
1067 		.errstr_unpriv = "R1 pointer comparison",
1068 		.result_unpriv = REJECT,
1069 		.result = ACCEPT,
1070 	},
1071 	{
1072 		"jump test 2",
1073 		.insns = {
1074 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1075 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1076 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1077 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1078 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1079 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1080 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1081 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1082 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1083 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1084 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1085 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1086 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1087 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1088 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1089 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1090 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1091 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1092 			BPF_MOV64_IMM(BPF_REG_0, 0),
1093 			BPF_EXIT_INSN(),
1094 		},
1095 		.errstr_unpriv = "R1 pointer comparison",
1096 		.result_unpriv = REJECT,
1097 		.result = ACCEPT,
1098 	},
1099 	{
1100 		"jump test 3",
1101 		.insns = {
1102 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1103 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1104 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1105 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1106 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1107 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1108 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1110 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1111 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1112 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1113 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1114 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1115 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1116 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1118 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1119 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1120 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1121 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1122 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1123 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1124 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1125 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1126 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1127 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1128 				     BPF_FUNC_map_delete_elem),
1129 			BPF_EXIT_INSN(),
1130 		},
1131 		.fixup_map1 = { 24 },
1132 		.errstr_unpriv = "R1 pointer comparison",
1133 		.result_unpriv = REJECT,
1134 		.result = ACCEPT,
1135 		.retval = -ENOENT,
1136 	},
1137 	{
1138 		"jump test 4",
1139 		.insns = {
1140 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1141 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1142 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1143 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1144 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1146 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1147 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1149 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1150 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1152 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1153 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1154 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1155 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1156 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1157 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1158 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1159 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1160 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1161 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1162 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1163 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1164 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1165 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1166 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1168 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1169 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1170 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1171 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1172 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1174 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1175 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1176 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1177 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1178 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1180 			BPF_MOV64_IMM(BPF_REG_0, 0),
1181 			BPF_EXIT_INSN(),
1182 		},
1183 		.errstr_unpriv = "R1 pointer comparison",
1184 		.result_unpriv = REJECT,
1185 		.result = ACCEPT,
1186 	},
1187 	{
1188 		"jump test 5",
1189 		.insns = {
1190 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1191 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1192 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1193 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1194 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1195 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1196 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1197 			BPF_MOV64_IMM(BPF_REG_0, 0),
1198 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1199 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1200 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1201 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1202 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1203 			BPF_MOV64_IMM(BPF_REG_0, 0),
1204 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1205 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1206 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1207 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1208 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1209 			BPF_MOV64_IMM(BPF_REG_0, 0),
1210 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1211 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1212 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1213 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1214 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1215 			BPF_MOV64_IMM(BPF_REG_0, 0),
1216 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1217 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1218 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1219 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1220 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1221 			BPF_MOV64_IMM(BPF_REG_0, 0),
1222 			BPF_EXIT_INSN(),
1223 		},
1224 		.errstr_unpriv = "R1 pointer comparison",
1225 		.result_unpriv = REJECT,
1226 		.result = ACCEPT,
1227 	},
1228 	{
1229 		"access skb fields ok",
1230 		.insns = {
1231 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1232 				    offsetof(struct __sk_buff, len)),
1233 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1234 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1235 				    offsetof(struct __sk_buff, mark)),
1236 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1237 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1238 				    offsetof(struct __sk_buff, pkt_type)),
1239 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1240 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1241 				    offsetof(struct __sk_buff, queue_mapping)),
1242 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1243 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1244 				    offsetof(struct __sk_buff, protocol)),
1245 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1246 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1247 				    offsetof(struct __sk_buff, vlan_present)),
1248 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1249 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1250 				    offsetof(struct __sk_buff, vlan_tci)),
1251 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1252 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1253 				    offsetof(struct __sk_buff, napi_id)),
1254 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1255 			BPF_EXIT_INSN(),
1256 		},
1257 		.result = ACCEPT,
1258 	},
1259 	{
1260 		"access skb fields bad1",
1261 		.insns = {
1262 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1263 			BPF_EXIT_INSN(),
1264 		},
1265 		.errstr = "invalid bpf_context access",
1266 		.result = REJECT,
1267 	},
1268 	{
1269 		"access skb fields bad2",
1270 		.insns = {
1271 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1272 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1273 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1274 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1275 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1277 				     BPF_FUNC_map_lookup_elem),
1278 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1279 			BPF_EXIT_INSN(),
1280 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1281 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1282 				    offsetof(struct __sk_buff, pkt_type)),
1283 			BPF_EXIT_INSN(),
1284 		},
1285 		.fixup_map1 = { 4 },
1286 		.errstr = "different pointers",
1287 		.errstr_unpriv = "R1 pointer comparison",
1288 		.result = REJECT,
1289 	},
1290 	{
1291 		"access skb fields bad3",
1292 		.insns = {
1293 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1295 				    offsetof(struct __sk_buff, pkt_type)),
1296 			BPF_EXIT_INSN(),
1297 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1298 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1299 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1300 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 				     BPF_FUNC_map_lookup_elem),
1303 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1304 			BPF_EXIT_INSN(),
1305 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1306 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1307 		},
1308 		.fixup_map1 = { 6 },
1309 		.errstr = "different pointers",
1310 		.errstr_unpriv = "R1 pointer comparison",
1311 		.result = REJECT,
1312 	},
1313 	{
1314 		"access skb fields bad4",
1315 		.insns = {
1316 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1317 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1318 				    offsetof(struct __sk_buff, len)),
1319 			BPF_MOV64_IMM(BPF_REG_0, 0),
1320 			BPF_EXIT_INSN(),
1321 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1322 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1323 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1324 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1325 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1326 				     BPF_FUNC_map_lookup_elem),
1327 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1328 			BPF_EXIT_INSN(),
1329 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1330 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1331 		},
1332 		.fixup_map1 = { 7 },
1333 		.errstr = "different pointers",
1334 		.errstr_unpriv = "R1 pointer comparison",
1335 		.result = REJECT,
1336 	},
1337 	{
1338 		"invalid access __sk_buff family",
1339 		.insns = {
1340 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341 				    offsetof(struct __sk_buff, family)),
1342 			BPF_EXIT_INSN(),
1343 		},
1344 		.errstr = "invalid bpf_context access",
1345 		.result = REJECT,
1346 	},
1347 	{
1348 		"invalid access __sk_buff remote_ip4",
1349 		.insns = {
1350 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 				    offsetof(struct __sk_buff, remote_ip4)),
1352 			BPF_EXIT_INSN(),
1353 		},
1354 		.errstr = "invalid bpf_context access",
1355 		.result = REJECT,
1356 	},
1357 	{
1358 		"invalid access __sk_buff local_ip4",
1359 		.insns = {
1360 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1361 				    offsetof(struct __sk_buff, local_ip4)),
1362 			BPF_EXIT_INSN(),
1363 		},
1364 		.errstr = "invalid bpf_context access",
1365 		.result = REJECT,
1366 	},
1367 	{
1368 		"invalid access __sk_buff remote_ip6",
1369 		.insns = {
1370 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 				    offsetof(struct __sk_buff, remote_ip6)),
1372 			BPF_EXIT_INSN(),
1373 		},
1374 		.errstr = "invalid bpf_context access",
1375 		.result = REJECT,
1376 	},
1377 	{
1378 		"invalid access __sk_buff local_ip6",
1379 		.insns = {
1380 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1381 				    offsetof(struct __sk_buff, local_ip6)),
1382 			BPF_EXIT_INSN(),
1383 		},
1384 		.errstr = "invalid bpf_context access",
1385 		.result = REJECT,
1386 	},
1387 	{
1388 		"invalid access __sk_buff remote_port",
1389 		.insns = {
1390 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1391 				    offsetof(struct __sk_buff, remote_port)),
1392 			BPF_EXIT_INSN(),
1393 		},
1394 		.errstr = "invalid bpf_context access",
1395 		.result = REJECT,
1396 	},
1397 	{
1398 		"invalid access __sk_buff remote_port",
1399 		.insns = {
1400 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1401 				    offsetof(struct __sk_buff, local_port)),
1402 			BPF_EXIT_INSN(),
1403 		},
1404 		.errstr = "invalid bpf_context access",
1405 		.result = REJECT,
1406 	},
1407 	{
1408 		"valid access __sk_buff family",
1409 		.insns = {
1410 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1411 				    offsetof(struct __sk_buff, family)),
1412 			BPF_EXIT_INSN(),
1413 		},
1414 		.result = ACCEPT,
1415 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1416 	},
1417 	{
1418 		"valid access __sk_buff remote_ip4",
1419 		.insns = {
1420 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 				    offsetof(struct __sk_buff, remote_ip4)),
1422 			BPF_EXIT_INSN(),
1423 		},
1424 		.result = ACCEPT,
1425 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1426 	},
1427 	{
1428 		"valid access __sk_buff local_ip4",
1429 		.insns = {
1430 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1431 				    offsetof(struct __sk_buff, local_ip4)),
1432 			BPF_EXIT_INSN(),
1433 		},
1434 		.result = ACCEPT,
1435 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1436 	},
1437 	{
1438 		"valid access __sk_buff remote_ip6",
1439 		.insns = {
1440 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1441 				    offsetof(struct __sk_buff, remote_ip6[0])),
1442 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1443 				    offsetof(struct __sk_buff, remote_ip6[1])),
1444 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1445 				    offsetof(struct __sk_buff, remote_ip6[2])),
1446 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1447 				    offsetof(struct __sk_buff, remote_ip6[3])),
1448 			BPF_EXIT_INSN(),
1449 		},
1450 		.result = ACCEPT,
1451 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1452 	},
1453 	{
1454 		"valid access __sk_buff local_ip6",
1455 		.insns = {
1456 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1457 				    offsetof(struct __sk_buff, local_ip6[0])),
1458 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1459 				    offsetof(struct __sk_buff, local_ip6[1])),
1460 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1461 				    offsetof(struct __sk_buff, local_ip6[2])),
1462 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1463 				    offsetof(struct __sk_buff, local_ip6[3])),
1464 			BPF_EXIT_INSN(),
1465 		},
1466 		.result = ACCEPT,
1467 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1468 	},
1469 	{
1470 		"valid access __sk_buff remote_port",
1471 		.insns = {
1472 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 				    offsetof(struct __sk_buff, remote_port)),
1474 			BPF_EXIT_INSN(),
1475 		},
1476 		.result = ACCEPT,
1477 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1478 	},
1479 	{
1480 		"valid access __sk_buff remote_port",
1481 		.insns = {
1482 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1483 				    offsetof(struct __sk_buff, local_port)),
1484 			BPF_EXIT_INSN(),
1485 		},
1486 		.result = ACCEPT,
1487 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1488 	},
1489 	{
1490 		"invalid access of tc_classid for SK_SKB",
1491 		.insns = {
1492 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 				    offsetof(struct __sk_buff, tc_classid)),
1494 			BPF_EXIT_INSN(),
1495 		},
1496 		.result = REJECT,
1497 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1498 		.errstr = "invalid bpf_context access",
1499 	},
1500 	{
1501 		"invalid access of skb->mark for SK_SKB",
1502 		.insns = {
1503 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 				    offsetof(struct __sk_buff, mark)),
1505 			BPF_EXIT_INSN(),
1506 		},
1507 		.result =  REJECT,
1508 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1509 		.errstr = "invalid bpf_context access",
1510 	},
1511 	{
1512 		"check skb->mark is not writeable by SK_SKB",
1513 		.insns = {
1514 			BPF_MOV64_IMM(BPF_REG_0, 0),
1515 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1516 				    offsetof(struct __sk_buff, mark)),
1517 			BPF_EXIT_INSN(),
1518 		},
1519 		.result =  REJECT,
1520 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1521 		.errstr = "invalid bpf_context access",
1522 	},
1523 	{
1524 		"check skb->tc_index is writeable by SK_SKB",
1525 		.insns = {
1526 			BPF_MOV64_IMM(BPF_REG_0, 0),
1527 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1528 				    offsetof(struct __sk_buff, tc_index)),
1529 			BPF_EXIT_INSN(),
1530 		},
1531 		.result = ACCEPT,
1532 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1533 	},
1534 	{
1535 		"check skb->priority is writeable by SK_SKB",
1536 		.insns = {
1537 			BPF_MOV64_IMM(BPF_REG_0, 0),
1538 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1539 				    offsetof(struct __sk_buff, priority)),
1540 			BPF_EXIT_INSN(),
1541 		},
1542 		.result = ACCEPT,
1543 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1544 	},
1545 	{
1546 		"direct packet read for SK_SKB",
1547 		.insns = {
1548 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1549 				    offsetof(struct __sk_buff, data)),
1550 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1551 				    offsetof(struct __sk_buff, data_end)),
1552 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1554 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1555 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1556 			BPF_MOV64_IMM(BPF_REG_0, 0),
1557 			BPF_EXIT_INSN(),
1558 		},
1559 		.result = ACCEPT,
1560 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1561 	},
1562 	{
1563 		"direct packet write for SK_SKB",
1564 		.insns = {
1565 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1566 				    offsetof(struct __sk_buff, data)),
1567 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1568 				    offsetof(struct __sk_buff, data_end)),
1569 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1570 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1571 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1572 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1573 			BPF_MOV64_IMM(BPF_REG_0, 0),
1574 			BPF_EXIT_INSN(),
1575 		},
1576 		.result = ACCEPT,
1577 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1578 	},
1579 	{
1580 		"overlapping checks for direct packet access SK_SKB",
1581 		.insns = {
1582 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1583 				    offsetof(struct __sk_buff, data)),
1584 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1585 				    offsetof(struct __sk_buff, data_end)),
1586 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1587 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1588 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1589 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1590 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1591 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1592 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1593 			BPF_MOV64_IMM(BPF_REG_0, 0),
1594 			BPF_EXIT_INSN(),
1595 		},
1596 		.result = ACCEPT,
1597 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1598 	},
1599 	{
1600 		"check skb->mark is not writeable by sockets",
1601 		.insns = {
1602 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1603 				    offsetof(struct __sk_buff, mark)),
1604 			BPF_EXIT_INSN(),
1605 		},
1606 		.errstr = "invalid bpf_context access",
1607 		.errstr_unpriv = "R1 leaks addr",
1608 		.result = REJECT,
1609 	},
1610 	{
1611 		"check skb->tc_index is not writeable by sockets",
1612 		.insns = {
1613 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1614 				    offsetof(struct __sk_buff, tc_index)),
1615 			BPF_EXIT_INSN(),
1616 		},
1617 		.errstr = "invalid bpf_context access",
1618 		.errstr_unpriv = "R1 leaks addr",
1619 		.result = REJECT,
1620 	},
1621 	{
1622 		"check cb access: byte",
1623 		.insns = {
1624 			BPF_MOV64_IMM(BPF_REG_0, 0),
1625 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1626 				    offsetof(struct __sk_buff, cb[0])),
1627 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1628 				    offsetof(struct __sk_buff, cb[0]) + 1),
1629 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1630 				    offsetof(struct __sk_buff, cb[0]) + 2),
1631 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1632 				    offsetof(struct __sk_buff, cb[0]) + 3),
1633 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1634 				    offsetof(struct __sk_buff, cb[1])),
1635 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1636 				    offsetof(struct __sk_buff, cb[1]) + 1),
1637 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1638 				    offsetof(struct __sk_buff, cb[1]) + 2),
1639 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1640 				    offsetof(struct __sk_buff, cb[1]) + 3),
1641 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1642 				    offsetof(struct __sk_buff, cb[2])),
1643 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1644 				    offsetof(struct __sk_buff, cb[2]) + 1),
1645 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1646 				    offsetof(struct __sk_buff, cb[2]) + 2),
1647 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1648 				    offsetof(struct __sk_buff, cb[2]) + 3),
1649 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1650 				    offsetof(struct __sk_buff, cb[3])),
1651 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1652 				    offsetof(struct __sk_buff, cb[3]) + 1),
1653 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1654 				    offsetof(struct __sk_buff, cb[3]) + 2),
1655 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1656 				    offsetof(struct __sk_buff, cb[3]) + 3),
1657 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1658 				    offsetof(struct __sk_buff, cb[4])),
1659 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1660 				    offsetof(struct __sk_buff, cb[4]) + 1),
1661 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1662 				    offsetof(struct __sk_buff, cb[4]) + 2),
1663 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1664 				    offsetof(struct __sk_buff, cb[4]) + 3),
1665 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1666 				    offsetof(struct __sk_buff, cb[0])),
1667 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1668 				    offsetof(struct __sk_buff, cb[0]) + 1),
1669 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1670 				    offsetof(struct __sk_buff, cb[0]) + 2),
1671 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1672 				    offsetof(struct __sk_buff, cb[0]) + 3),
1673 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1674 				    offsetof(struct __sk_buff, cb[1])),
1675 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1676 				    offsetof(struct __sk_buff, cb[1]) + 1),
1677 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1678 				    offsetof(struct __sk_buff, cb[1]) + 2),
1679 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1680 				    offsetof(struct __sk_buff, cb[1]) + 3),
1681 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1682 				    offsetof(struct __sk_buff, cb[2])),
1683 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1684 				    offsetof(struct __sk_buff, cb[2]) + 1),
1685 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1686 				    offsetof(struct __sk_buff, cb[2]) + 2),
1687 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1688 				    offsetof(struct __sk_buff, cb[2]) + 3),
1689 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1690 				    offsetof(struct __sk_buff, cb[3])),
1691 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1692 				    offsetof(struct __sk_buff, cb[3]) + 1),
1693 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1694 				    offsetof(struct __sk_buff, cb[3]) + 2),
1695 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1696 				    offsetof(struct __sk_buff, cb[3]) + 3),
1697 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1698 				    offsetof(struct __sk_buff, cb[4])),
1699 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1700 				    offsetof(struct __sk_buff, cb[4]) + 1),
1701 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1702 				    offsetof(struct __sk_buff, cb[4]) + 2),
1703 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1704 				    offsetof(struct __sk_buff, cb[4]) + 3),
1705 			BPF_EXIT_INSN(),
1706 		},
1707 		.result = ACCEPT,
1708 	},
1709 	{
1710 		"__sk_buff->hash, offset 0, byte store not permitted",
1711 		.insns = {
1712 			BPF_MOV64_IMM(BPF_REG_0, 0),
1713 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1714 				    offsetof(struct __sk_buff, hash)),
1715 			BPF_EXIT_INSN(),
1716 		},
1717 		.errstr = "invalid bpf_context access",
1718 		.result = REJECT,
1719 	},
1720 	{
1721 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1722 		.insns = {
1723 			BPF_MOV64_IMM(BPF_REG_0, 0),
1724 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1725 				    offsetof(struct __sk_buff, tc_index) + 3),
1726 			BPF_EXIT_INSN(),
1727 		},
1728 		.errstr = "invalid bpf_context access",
1729 		.result = REJECT,
1730 	},
1731 	{
1732 		"check skb->hash byte load permitted",
1733 		.insns = {
1734 			BPF_MOV64_IMM(BPF_REG_0, 0),
1735 #if __BYTE_ORDER == __LITTLE_ENDIAN
1736 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1737 				    offsetof(struct __sk_buff, hash)),
1738 #else
1739 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1740 				    offsetof(struct __sk_buff, hash) + 3),
1741 #endif
1742 			BPF_EXIT_INSN(),
1743 		},
1744 		.result = ACCEPT,
1745 	},
1746 	{
1747 		"check skb->hash byte load not permitted 1",
1748 		.insns = {
1749 			BPF_MOV64_IMM(BPF_REG_0, 0),
1750 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1751 				    offsetof(struct __sk_buff, hash) + 1),
1752 			BPF_EXIT_INSN(),
1753 		},
1754 		.errstr = "invalid bpf_context access",
1755 		.result = REJECT,
1756 	},
1757 	{
1758 		"check skb->hash byte load not permitted 2",
1759 		.insns = {
1760 			BPF_MOV64_IMM(BPF_REG_0, 0),
1761 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1762 				    offsetof(struct __sk_buff, hash) + 2),
1763 			BPF_EXIT_INSN(),
1764 		},
1765 		.errstr = "invalid bpf_context access",
1766 		.result = REJECT,
1767 	},
1768 	{
1769 		"check skb->hash byte load not permitted 3",
1770 		.insns = {
1771 			BPF_MOV64_IMM(BPF_REG_0, 0),
1772 #if __BYTE_ORDER == __LITTLE_ENDIAN
1773 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1774 				    offsetof(struct __sk_buff, hash) + 3),
1775 #else
1776 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1777 				    offsetof(struct __sk_buff, hash)),
1778 #endif
1779 			BPF_EXIT_INSN(),
1780 		},
1781 		.errstr = "invalid bpf_context access",
1782 		.result = REJECT,
1783 	},
1784 	{
1785 		"check cb access: byte, wrong type",
1786 		.insns = {
1787 			BPF_MOV64_IMM(BPF_REG_0, 0),
1788 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1789 				    offsetof(struct __sk_buff, cb[0])),
1790 			BPF_EXIT_INSN(),
1791 		},
1792 		.errstr = "invalid bpf_context access",
1793 		.result = REJECT,
1794 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1795 	},
1796 	{
1797 		"check cb access: half",
1798 		.insns = {
1799 			BPF_MOV64_IMM(BPF_REG_0, 0),
1800 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1801 				    offsetof(struct __sk_buff, cb[0])),
1802 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1803 				    offsetof(struct __sk_buff, cb[0]) + 2),
1804 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1805 				    offsetof(struct __sk_buff, cb[1])),
1806 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1807 				    offsetof(struct __sk_buff, cb[1]) + 2),
1808 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1809 				    offsetof(struct __sk_buff, cb[2])),
1810 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1811 				    offsetof(struct __sk_buff, cb[2]) + 2),
1812 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1813 				    offsetof(struct __sk_buff, cb[3])),
1814 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1815 				    offsetof(struct __sk_buff, cb[3]) + 2),
1816 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1817 				    offsetof(struct __sk_buff, cb[4])),
1818 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1819 				    offsetof(struct __sk_buff, cb[4]) + 2),
1820 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1821 				    offsetof(struct __sk_buff, cb[0])),
1822 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1823 				    offsetof(struct __sk_buff, cb[0]) + 2),
1824 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1825 				    offsetof(struct __sk_buff, cb[1])),
1826 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1827 				    offsetof(struct __sk_buff, cb[1]) + 2),
1828 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1829 				    offsetof(struct __sk_buff, cb[2])),
1830 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1831 				    offsetof(struct __sk_buff, cb[2]) + 2),
1832 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1833 				    offsetof(struct __sk_buff, cb[3])),
1834 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1835 				    offsetof(struct __sk_buff, cb[3]) + 2),
1836 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1837 				    offsetof(struct __sk_buff, cb[4])),
1838 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1839 				    offsetof(struct __sk_buff, cb[4]) + 2),
1840 			BPF_EXIT_INSN(),
1841 		},
1842 		.result = ACCEPT,
1843 	},
1844 	{
1845 		"check cb access: half, unaligned",
1846 		.insns = {
1847 			BPF_MOV64_IMM(BPF_REG_0, 0),
1848 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1849 				    offsetof(struct __sk_buff, cb[0]) + 1),
1850 			BPF_EXIT_INSN(),
1851 		},
1852 		.errstr = "misaligned context access",
1853 		.result = REJECT,
1854 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1855 	},
1856 	{
1857 		"check __sk_buff->hash, offset 0, half store not permitted",
1858 		.insns = {
1859 			BPF_MOV64_IMM(BPF_REG_0, 0),
1860 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1861 				    offsetof(struct __sk_buff, hash)),
1862 			BPF_EXIT_INSN(),
1863 		},
1864 		.errstr = "invalid bpf_context access",
1865 		.result = REJECT,
1866 	},
1867 	{
1868 		"check __sk_buff->tc_index, offset 2, half store not permitted",
1869 		.insns = {
1870 			BPF_MOV64_IMM(BPF_REG_0, 0),
1871 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1872 				    offsetof(struct __sk_buff, tc_index) + 2),
1873 			BPF_EXIT_INSN(),
1874 		},
1875 		.errstr = "invalid bpf_context access",
1876 		.result = REJECT,
1877 	},
1878 	{
1879 		"check skb->hash half load permitted",
1880 		.insns = {
1881 			BPF_MOV64_IMM(BPF_REG_0, 0),
1882 #if __BYTE_ORDER == __LITTLE_ENDIAN
1883 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1884 				    offsetof(struct __sk_buff, hash)),
1885 #else
1886 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1887 				    offsetof(struct __sk_buff, hash) + 2),
1888 #endif
1889 			BPF_EXIT_INSN(),
1890 		},
1891 		.result = ACCEPT,
1892 	},
1893 	{
1894 		"check skb->hash half load not permitted",
1895 		.insns = {
1896 			BPF_MOV64_IMM(BPF_REG_0, 0),
1897 #if __BYTE_ORDER == __LITTLE_ENDIAN
1898 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1899 				    offsetof(struct __sk_buff, hash) + 2),
1900 #else
1901 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1902 				    offsetof(struct __sk_buff, hash)),
1903 #endif
1904 			BPF_EXIT_INSN(),
1905 		},
1906 		.errstr = "invalid bpf_context access",
1907 		.result = REJECT,
1908 	},
1909 	{
1910 		"check cb access: half, wrong type",
1911 		.insns = {
1912 			BPF_MOV64_IMM(BPF_REG_0, 0),
1913 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1914 				    offsetof(struct __sk_buff, cb[0])),
1915 			BPF_EXIT_INSN(),
1916 		},
1917 		.errstr = "invalid bpf_context access",
1918 		.result = REJECT,
1919 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1920 	},
1921 	{
1922 		"check cb access: word",
1923 		.insns = {
1924 			BPF_MOV64_IMM(BPF_REG_0, 0),
1925 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1926 				    offsetof(struct __sk_buff, cb[0])),
1927 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1928 				    offsetof(struct __sk_buff, cb[1])),
1929 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1930 				    offsetof(struct __sk_buff, cb[2])),
1931 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1932 				    offsetof(struct __sk_buff, cb[3])),
1933 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1934 				    offsetof(struct __sk_buff, cb[4])),
1935 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1936 				    offsetof(struct __sk_buff, cb[0])),
1937 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1938 				    offsetof(struct __sk_buff, cb[1])),
1939 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1940 				    offsetof(struct __sk_buff, cb[2])),
1941 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1942 				    offsetof(struct __sk_buff, cb[3])),
1943 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1944 				    offsetof(struct __sk_buff, cb[4])),
1945 			BPF_EXIT_INSN(),
1946 		},
1947 		.result = ACCEPT,
1948 	},
1949 	{
1950 		"check cb access: word, unaligned 1",
1951 		.insns = {
1952 			BPF_MOV64_IMM(BPF_REG_0, 0),
1953 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1954 				    offsetof(struct __sk_buff, cb[0]) + 2),
1955 			BPF_EXIT_INSN(),
1956 		},
1957 		.errstr = "misaligned context access",
1958 		.result = REJECT,
1959 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1960 	},
1961 	{
1962 		"check cb access: word, unaligned 2",
1963 		.insns = {
1964 			BPF_MOV64_IMM(BPF_REG_0, 0),
1965 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1966 				    offsetof(struct __sk_buff, cb[4]) + 1),
1967 			BPF_EXIT_INSN(),
1968 		},
1969 		.errstr = "misaligned context access",
1970 		.result = REJECT,
1971 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1972 	},
1973 	{
1974 		"check cb access: word, unaligned 3",
1975 		.insns = {
1976 			BPF_MOV64_IMM(BPF_REG_0, 0),
1977 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1978 				    offsetof(struct __sk_buff, cb[4]) + 2),
1979 			BPF_EXIT_INSN(),
1980 		},
1981 		.errstr = "misaligned context access",
1982 		.result = REJECT,
1983 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1984 	},
1985 	{
1986 		"check cb access: word, unaligned 4",
1987 		.insns = {
1988 			BPF_MOV64_IMM(BPF_REG_0, 0),
1989 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1990 				    offsetof(struct __sk_buff, cb[4]) + 3),
1991 			BPF_EXIT_INSN(),
1992 		},
1993 		.errstr = "misaligned context access",
1994 		.result = REJECT,
1995 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1996 	},
1997 	{
1998 		"check cb access: double",
1999 		.insns = {
2000 			BPF_MOV64_IMM(BPF_REG_0, 0),
2001 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2002 				    offsetof(struct __sk_buff, cb[0])),
2003 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2004 				    offsetof(struct __sk_buff, cb[2])),
2005 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2006 				    offsetof(struct __sk_buff, cb[0])),
2007 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2008 				    offsetof(struct __sk_buff, cb[2])),
2009 			BPF_EXIT_INSN(),
2010 		},
2011 		.result = ACCEPT,
2012 	},
2013 	{
2014 		"check cb access: double, unaligned 1",
2015 		.insns = {
2016 			BPF_MOV64_IMM(BPF_REG_0, 0),
2017 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2018 				    offsetof(struct __sk_buff, cb[1])),
2019 			BPF_EXIT_INSN(),
2020 		},
2021 		.errstr = "misaligned context access",
2022 		.result = REJECT,
2023 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2024 	},
2025 	{
2026 		"check cb access: double, unaligned 2",
2027 		.insns = {
2028 			BPF_MOV64_IMM(BPF_REG_0, 0),
2029 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2030 				    offsetof(struct __sk_buff, cb[3])),
2031 			BPF_EXIT_INSN(),
2032 		},
2033 		.errstr = "misaligned context access",
2034 		.result = REJECT,
2035 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2036 	},
2037 	{
2038 		"check cb access: double, oob 1",
2039 		.insns = {
2040 			BPF_MOV64_IMM(BPF_REG_0, 0),
2041 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2042 				    offsetof(struct __sk_buff, cb[4])),
2043 			BPF_EXIT_INSN(),
2044 		},
2045 		.errstr = "invalid bpf_context access",
2046 		.result = REJECT,
2047 	},
2048 	{
2049 		"check cb access: double, oob 2",
2050 		.insns = {
2051 			BPF_MOV64_IMM(BPF_REG_0, 0),
2052 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2053 				    offsetof(struct __sk_buff, cb[4])),
2054 			BPF_EXIT_INSN(),
2055 		},
2056 		.errstr = "invalid bpf_context access",
2057 		.result = REJECT,
2058 	},
2059 	{
2060 		"check __sk_buff->ifindex dw store not permitted",
2061 		.insns = {
2062 			BPF_MOV64_IMM(BPF_REG_0, 0),
2063 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2064 				    offsetof(struct __sk_buff, ifindex)),
2065 			BPF_EXIT_INSN(),
2066 		},
2067 		.errstr = "invalid bpf_context access",
2068 		.result = REJECT,
2069 	},
2070 	{
2071 		"check __sk_buff->ifindex dw load not permitted",
2072 		.insns = {
2073 			BPF_MOV64_IMM(BPF_REG_0, 0),
2074 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2075 				    offsetof(struct __sk_buff, ifindex)),
2076 			BPF_EXIT_INSN(),
2077 		},
2078 		.errstr = "invalid bpf_context access",
2079 		.result = REJECT,
2080 	},
2081 	{
2082 		"check cb access: double, wrong type",
2083 		.insns = {
2084 			BPF_MOV64_IMM(BPF_REG_0, 0),
2085 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2086 				    offsetof(struct __sk_buff, cb[0])),
2087 			BPF_EXIT_INSN(),
2088 		},
2089 		.errstr = "invalid bpf_context access",
2090 		.result = REJECT,
2091 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2092 	},
2093 	{
2094 		"check out of range skb->cb access",
2095 		.insns = {
2096 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2097 				    offsetof(struct __sk_buff, cb[0]) + 256),
2098 			BPF_EXIT_INSN(),
2099 		},
2100 		.errstr = "invalid bpf_context access",
2101 		.errstr_unpriv = "",
2102 		.result = REJECT,
2103 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2104 	},
2105 	{
2106 		"write skb fields from socket prog",
2107 		.insns = {
2108 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2109 				    offsetof(struct __sk_buff, cb[4])),
2110 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2111 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2112 				    offsetof(struct __sk_buff, mark)),
2113 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2114 				    offsetof(struct __sk_buff, tc_index)),
2115 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2116 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2117 				    offsetof(struct __sk_buff, cb[0])),
2118 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2119 				    offsetof(struct __sk_buff, cb[2])),
2120 			BPF_EXIT_INSN(),
2121 		},
2122 		.result = ACCEPT,
2123 		.errstr_unpriv = "R1 leaks addr",
2124 		.result_unpriv = REJECT,
2125 	},
2126 	{
2127 		"write skb fields from tc_cls_act prog",
2128 		.insns = {
2129 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2130 				    offsetof(struct __sk_buff, cb[0])),
2131 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2132 				    offsetof(struct __sk_buff, mark)),
2133 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2134 				    offsetof(struct __sk_buff, tc_index)),
2135 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2136 				    offsetof(struct __sk_buff, tc_index)),
2137 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2138 				    offsetof(struct __sk_buff, cb[3])),
2139 			BPF_EXIT_INSN(),
2140 		},
2141 		.errstr_unpriv = "",
2142 		.result_unpriv = REJECT,
2143 		.result = ACCEPT,
2144 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2145 	},
2146 	{
2147 		"PTR_TO_STACK store/load",
2148 		.insns = {
2149 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2150 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2151 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2152 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2153 			BPF_EXIT_INSN(),
2154 		},
2155 		.result = ACCEPT,
2156 		.retval = 0xfaceb00c,
2157 	},
2158 	{
2159 		"PTR_TO_STACK store/load - bad alignment on off",
2160 		.insns = {
2161 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2163 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2164 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2165 			BPF_EXIT_INSN(),
2166 		},
2167 		.result = REJECT,
2168 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2169 	},
2170 	{
2171 		"PTR_TO_STACK store/load - bad alignment on reg",
2172 		.insns = {
2173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2175 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2176 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2177 			BPF_EXIT_INSN(),
2178 		},
2179 		.result = REJECT,
2180 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2181 	},
2182 	{
2183 		"PTR_TO_STACK store/load - out of bounds low",
2184 		.insns = {
2185 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2186 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2187 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2188 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2189 			BPF_EXIT_INSN(),
2190 		},
2191 		.result = REJECT,
2192 		.errstr = "invalid stack off=-79992 size=8",
2193 	},
2194 	{
2195 		"PTR_TO_STACK store/load - out of bounds high",
2196 		.insns = {
2197 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2198 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2199 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2200 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2201 			BPF_EXIT_INSN(),
2202 		},
2203 		.result = REJECT,
2204 		.errstr = "invalid stack off=0 size=8",
2205 	},
2206 	{
2207 		"unpriv: return pointer",
2208 		.insns = {
2209 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2210 			BPF_EXIT_INSN(),
2211 		},
2212 		.result = ACCEPT,
2213 		.result_unpriv = REJECT,
2214 		.errstr_unpriv = "R0 leaks addr",
2215 		.retval = POINTER_VALUE,
2216 	},
2217 	{
2218 		"unpriv: add const to pointer",
2219 		.insns = {
2220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2221 			BPF_MOV64_IMM(BPF_REG_0, 0),
2222 			BPF_EXIT_INSN(),
2223 		},
2224 		.result = ACCEPT,
2225 	},
2226 	{
2227 		"unpriv: add pointer to pointer",
2228 		.insns = {
2229 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2230 			BPF_MOV64_IMM(BPF_REG_0, 0),
2231 			BPF_EXIT_INSN(),
2232 		},
2233 		.result = REJECT,
2234 		.errstr = "R1 pointer += pointer",
2235 	},
2236 	{
2237 		"unpriv: neg pointer",
2238 		.insns = {
2239 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2240 			BPF_MOV64_IMM(BPF_REG_0, 0),
2241 			BPF_EXIT_INSN(),
2242 		},
2243 		.result = ACCEPT,
2244 		.result_unpriv = REJECT,
2245 		.errstr_unpriv = "R1 pointer arithmetic",
2246 	},
2247 	{
2248 		"unpriv: cmp pointer with const",
2249 		.insns = {
2250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2251 			BPF_MOV64_IMM(BPF_REG_0, 0),
2252 			BPF_EXIT_INSN(),
2253 		},
2254 		.result = ACCEPT,
2255 		.result_unpriv = REJECT,
2256 		.errstr_unpriv = "R1 pointer comparison",
2257 	},
2258 	{
2259 		"unpriv: cmp pointer with pointer",
2260 		.insns = {
2261 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2262 			BPF_MOV64_IMM(BPF_REG_0, 0),
2263 			BPF_EXIT_INSN(),
2264 		},
2265 		.result = ACCEPT,
2266 		.result_unpriv = REJECT,
2267 		.errstr_unpriv = "R10 pointer comparison",
2268 	},
2269 	{
2270 		"unpriv: check that printk is disallowed",
2271 		.insns = {
2272 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2273 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2274 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2275 			BPF_MOV64_IMM(BPF_REG_2, 8),
2276 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2277 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2278 				     BPF_FUNC_trace_printk),
2279 			BPF_MOV64_IMM(BPF_REG_0, 0),
2280 			BPF_EXIT_INSN(),
2281 		},
2282 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2283 		.result_unpriv = REJECT,
2284 		.result = ACCEPT,
2285 	},
2286 	{
2287 		"unpriv: pass pointer to helper function",
2288 		.insns = {
2289 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2290 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2291 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2292 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2293 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2294 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2295 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2296 				     BPF_FUNC_map_update_elem),
2297 			BPF_MOV64_IMM(BPF_REG_0, 0),
2298 			BPF_EXIT_INSN(),
2299 		},
2300 		.fixup_map1 = { 3 },
2301 		.errstr_unpriv = "R4 leaks addr",
2302 		.result_unpriv = REJECT,
2303 		.result = ACCEPT,
2304 	},
2305 	{
2306 		"unpriv: indirectly pass pointer on stack to helper function",
2307 		.insns = {
2308 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2309 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2310 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2311 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2312 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2313 				     BPF_FUNC_map_lookup_elem),
2314 			BPF_MOV64_IMM(BPF_REG_0, 0),
2315 			BPF_EXIT_INSN(),
2316 		},
2317 		.fixup_map1 = { 3 },
2318 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2319 		.result = REJECT,
2320 	},
2321 	{
2322 		"unpriv: mangle pointer on stack 1",
2323 		.insns = {
2324 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2325 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2326 			BPF_MOV64_IMM(BPF_REG_0, 0),
2327 			BPF_EXIT_INSN(),
2328 		},
2329 		.errstr_unpriv = "attempt to corrupt spilled",
2330 		.result_unpriv = REJECT,
2331 		.result = ACCEPT,
2332 	},
2333 	{
2334 		"unpriv: mangle pointer on stack 2",
2335 		.insns = {
2336 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2337 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2338 			BPF_MOV64_IMM(BPF_REG_0, 0),
2339 			BPF_EXIT_INSN(),
2340 		},
2341 		.errstr_unpriv = "attempt to corrupt spilled",
2342 		.result_unpriv = REJECT,
2343 		.result = ACCEPT,
2344 	},
2345 	{
2346 		"unpriv: read pointer from stack in small chunks",
2347 		.insns = {
2348 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2349 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2350 			BPF_MOV64_IMM(BPF_REG_0, 0),
2351 			BPF_EXIT_INSN(),
2352 		},
2353 		.errstr = "invalid size",
2354 		.result = REJECT,
2355 	},
2356 	{
2357 		"unpriv: write pointer into ctx",
2358 		.insns = {
2359 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2360 			BPF_MOV64_IMM(BPF_REG_0, 0),
2361 			BPF_EXIT_INSN(),
2362 		},
2363 		.errstr_unpriv = "R1 leaks addr",
2364 		.result_unpriv = REJECT,
2365 		.errstr = "invalid bpf_context access",
2366 		.result = REJECT,
2367 	},
2368 	{
2369 		"unpriv: spill/fill of ctx",
2370 		.insns = {
2371 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2373 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2374 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2375 			BPF_MOV64_IMM(BPF_REG_0, 0),
2376 			BPF_EXIT_INSN(),
2377 		},
2378 		.result = ACCEPT,
2379 	},
2380 	{
2381 		"unpriv: spill/fill of ctx 2",
2382 		.insns = {
2383 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2385 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2386 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2387 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2388 				     BPF_FUNC_get_hash_recalc),
2389 			BPF_MOV64_IMM(BPF_REG_0, 0),
2390 			BPF_EXIT_INSN(),
2391 		},
2392 		.result = ACCEPT,
2393 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2394 	},
2395 	{
2396 		"unpriv: spill/fill of ctx 3",
2397 		.insns = {
2398 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2399 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2400 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2401 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2402 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2403 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2404 				     BPF_FUNC_get_hash_recalc),
2405 			BPF_EXIT_INSN(),
2406 		},
2407 		.result = REJECT,
2408 		.errstr = "R1 type=fp expected=ctx",
2409 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2410 	},
2411 	{
2412 		"unpriv: spill/fill of ctx 4",
2413 		.insns = {
2414 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2415 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2416 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2417 			BPF_MOV64_IMM(BPF_REG_0, 1),
2418 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2419 				     BPF_REG_0, -8, 0),
2420 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2421 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2422 				     BPF_FUNC_get_hash_recalc),
2423 			BPF_EXIT_INSN(),
2424 		},
2425 		.result = REJECT,
2426 		.errstr = "R1 type=inv expected=ctx",
2427 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2428 	},
2429 	{
2430 		"unpriv: spill/fill of different pointers stx",
2431 		.insns = {
2432 			BPF_MOV64_IMM(BPF_REG_3, 42),
2433 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2434 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2435 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2436 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2437 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2438 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2439 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2440 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2441 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2442 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2443 				    offsetof(struct __sk_buff, mark)),
2444 			BPF_MOV64_IMM(BPF_REG_0, 0),
2445 			BPF_EXIT_INSN(),
2446 		},
2447 		.result = REJECT,
2448 		.errstr = "same insn cannot be used with different pointers",
2449 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2450 	},
2451 	{
2452 		"unpriv: spill/fill of different pointers ldx",
2453 		.insns = {
2454 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2455 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2456 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2457 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2459 				      -(__s32)offsetof(struct bpf_perf_event_data,
2460 						       sample_period) - 8),
2461 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2462 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2463 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2464 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2465 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2466 				    offsetof(struct bpf_perf_event_data,
2467 					     sample_period)),
2468 			BPF_MOV64_IMM(BPF_REG_0, 0),
2469 			BPF_EXIT_INSN(),
2470 		},
2471 		.result = REJECT,
2472 		.errstr = "same insn cannot be used with different pointers",
2473 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2474 	},
2475 	{
2476 		"unpriv: write pointer into map elem value",
2477 		.insns = {
2478 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2479 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2481 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2482 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2483 				     BPF_FUNC_map_lookup_elem),
2484 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2485 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2486 			BPF_EXIT_INSN(),
2487 		},
2488 		.fixup_map1 = { 3 },
2489 		.errstr_unpriv = "R0 leaks addr",
2490 		.result_unpriv = REJECT,
2491 		.result = ACCEPT,
2492 	},
2493 	{
2494 		"unpriv: partial copy of pointer",
2495 		.insns = {
2496 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2497 			BPF_MOV64_IMM(BPF_REG_0, 0),
2498 			BPF_EXIT_INSN(),
2499 		},
2500 		.errstr_unpriv = "R10 partial copy",
2501 		.result_unpriv = REJECT,
2502 		.result = ACCEPT,
2503 	},
2504 	{
2505 		"unpriv: pass pointer to tail_call",
2506 		.insns = {
2507 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2508 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2509 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2510 				     BPF_FUNC_tail_call),
2511 			BPF_MOV64_IMM(BPF_REG_0, 0),
2512 			BPF_EXIT_INSN(),
2513 		},
2514 		.fixup_prog = { 1 },
2515 		.errstr_unpriv = "R3 leaks addr into helper",
2516 		.result_unpriv = REJECT,
2517 		.result = ACCEPT,
2518 	},
2519 	{
2520 		"unpriv: cmp map pointer with zero",
2521 		.insns = {
2522 			BPF_MOV64_IMM(BPF_REG_1, 0),
2523 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2524 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2525 			BPF_MOV64_IMM(BPF_REG_0, 0),
2526 			BPF_EXIT_INSN(),
2527 		},
2528 		.fixup_map1 = { 1 },
2529 		.errstr_unpriv = "R1 pointer comparison",
2530 		.result_unpriv = REJECT,
2531 		.result = ACCEPT,
2532 	},
2533 	{
2534 		"unpriv: write into frame pointer",
2535 		.insns = {
2536 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2537 			BPF_MOV64_IMM(BPF_REG_0, 0),
2538 			BPF_EXIT_INSN(),
2539 		},
2540 		.errstr = "frame pointer is read only",
2541 		.result = REJECT,
2542 	},
2543 	{
2544 		"unpriv: spill/fill frame pointer",
2545 		.insns = {
2546 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2547 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2548 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2549 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2550 			BPF_MOV64_IMM(BPF_REG_0, 0),
2551 			BPF_EXIT_INSN(),
2552 		},
2553 		.errstr = "frame pointer is read only",
2554 		.result = REJECT,
2555 	},
2556 	{
2557 		"unpriv: cmp of frame pointer",
2558 		.insns = {
2559 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2560 			BPF_MOV64_IMM(BPF_REG_0, 0),
2561 			BPF_EXIT_INSN(),
2562 		},
2563 		.errstr_unpriv = "R10 pointer comparison",
2564 		.result_unpriv = REJECT,
2565 		.result = ACCEPT,
2566 	},
2567 	{
2568 		"unpriv: adding of fp",
2569 		.insns = {
2570 			BPF_MOV64_IMM(BPF_REG_0, 0),
2571 			BPF_MOV64_IMM(BPF_REG_1, 0),
2572 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2573 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2574 			BPF_EXIT_INSN(),
2575 		},
2576 		.result = ACCEPT,
2577 	},
2578 	{
2579 		"unpriv: cmp of stack pointer",
2580 		.insns = {
2581 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2582 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2583 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2584 			BPF_MOV64_IMM(BPF_REG_0, 0),
2585 			BPF_EXIT_INSN(),
2586 		},
2587 		.errstr_unpriv = "R2 pointer comparison",
2588 		.result_unpriv = REJECT,
2589 		.result = ACCEPT,
2590 	},
2591 	{
2592 		"runtime/jit: tail_call within bounds, prog once",
2593 		.insns = {
2594 			BPF_MOV64_IMM(BPF_REG_3, 0),
2595 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2596 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2597 				     BPF_FUNC_tail_call),
2598 			BPF_MOV64_IMM(BPF_REG_0, 1),
2599 			BPF_EXIT_INSN(),
2600 		},
2601 		.fixup_prog = { 1 },
2602 		.result = ACCEPT,
2603 		.retval = 42,
2604 	},
2605 	{
2606 		"runtime/jit: tail_call within bounds, prog loop",
2607 		.insns = {
2608 			BPF_MOV64_IMM(BPF_REG_3, 1),
2609 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2610 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2611 				     BPF_FUNC_tail_call),
2612 			BPF_MOV64_IMM(BPF_REG_0, 1),
2613 			BPF_EXIT_INSN(),
2614 		},
2615 		.fixup_prog = { 1 },
2616 		.result = ACCEPT,
2617 		.retval = 41,
2618 	},
2619 	{
2620 		"runtime/jit: tail_call within bounds, no prog",
2621 		.insns = {
2622 			BPF_MOV64_IMM(BPF_REG_3, 2),
2623 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2624 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2625 				     BPF_FUNC_tail_call),
2626 			BPF_MOV64_IMM(BPF_REG_0, 1),
2627 			BPF_EXIT_INSN(),
2628 		},
2629 		.fixup_prog = { 1 },
2630 		.result = ACCEPT,
2631 		.retval = 1,
2632 	},
2633 	{
2634 		"runtime/jit: tail_call out of bounds",
2635 		.insns = {
2636 			BPF_MOV64_IMM(BPF_REG_3, 256),
2637 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2638 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2639 				     BPF_FUNC_tail_call),
2640 			BPF_MOV64_IMM(BPF_REG_0, 2),
2641 			BPF_EXIT_INSN(),
2642 		},
2643 		.fixup_prog = { 1 },
2644 		.result = ACCEPT,
2645 		.retval = 2,
2646 	},
2647 	{
2648 		"runtime/jit: pass negative index to tail_call",
2649 		.insns = {
2650 			BPF_MOV64_IMM(BPF_REG_3, -1),
2651 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2652 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2653 				     BPF_FUNC_tail_call),
2654 			BPF_MOV64_IMM(BPF_REG_0, 2),
2655 			BPF_EXIT_INSN(),
2656 		},
2657 		.fixup_prog = { 1 },
2658 		.result = ACCEPT,
2659 		.retval = 2,
2660 	},
2661 	{
2662 		"runtime/jit: pass > 32bit index to tail_call",
2663 		.insns = {
2664 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2665 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667 				     BPF_FUNC_tail_call),
2668 			BPF_MOV64_IMM(BPF_REG_0, 2),
2669 			BPF_EXIT_INSN(),
2670 		},
2671 		.fixup_prog = { 2 },
2672 		.result = ACCEPT,
2673 		.retval = 42,
2674 	},
2675 	{
2676 		"stack pointer arithmetic",
2677 		.insns = {
2678 			BPF_MOV64_IMM(BPF_REG_1, 4),
2679 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2680 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2683 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2684 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2685 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2686 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2687 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2688 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2689 			BPF_MOV64_IMM(BPF_REG_0, 0),
2690 			BPF_EXIT_INSN(),
2691 		},
2692 		.result = ACCEPT,
2693 	},
2694 	{
2695 		"raw_stack: no skb_load_bytes",
2696 		.insns = {
2697 			BPF_MOV64_IMM(BPF_REG_2, 4),
2698 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2700 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2701 			BPF_MOV64_IMM(BPF_REG_4, 8),
2702 			/* Call to skb_load_bytes() omitted. */
2703 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2704 			BPF_EXIT_INSN(),
2705 		},
2706 		.result = REJECT,
2707 		.errstr = "invalid read from stack off -8+0 size 8",
2708 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2709 	},
2710 	{
2711 		"raw_stack: skb_load_bytes, negative len",
2712 		.insns = {
2713 			BPF_MOV64_IMM(BPF_REG_2, 4),
2714 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2715 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2716 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2717 			BPF_MOV64_IMM(BPF_REG_4, -8),
2718 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2719 				     BPF_FUNC_skb_load_bytes),
2720 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2721 			BPF_EXIT_INSN(),
2722 		},
2723 		.result = REJECT,
2724 		.errstr = "R4 min value is negative",
2725 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2726 	},
2727 	{
2728 		"raw_stack: skb_load_bytes, negative len 2",
2729 		.insns = {
2730 			BPF_MOV64_IMM(BPF_REG_2, 4),
2731 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2732 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2733 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2734 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2735 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2736 				     BPF_FUNC_skb_load_bytes),
2737 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2738 			BPF_EXIT_INSN(),
2739 		},
2740 		.result = REJECT,
2741 		.errstr = "R4 min value is negative",
2742 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2743 	},
2744 	{
2745 		"raw_stack: skb_load_bytes, zero len",
2746 		.insns = {
2747 			BPF_MOV64_IMM(BPF_REG_2, 4),
2748 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2750 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2751 			BPF_MOV64_IMM(BPF_REG_4, 0),
2752 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2753 				     BPF_FUNC_skb_load_bytes),
2754 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2755 			BPF_EXIT_INSN(),
2756 		},
2757 		.result = REJECT,
2758 		.errstr = "invalid stack type R3",
2759 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2760 	},
2761 	{
2762 		"raw_stack: skb_load_bytes, no init",
2763 		.insns = {
2764 			BPF_MOV64_IMM(BPF_REG_2, 4),
2765 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2767 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2768 			BPF_MOV64_IMM(BPF_REG_4, 8),
2769 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770 				     BPF_FUNC_skb_load_bytes),
2771 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2772 			BPF_EXIT_INSN(),
2773 		},
2774 		.result = ACCEPT,
2775 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2776 	},
2777 	{
2778 		"raw_stack: skb_load_bytes, init",
2779 		.insns = {
2780 			BPF_MOV64_IMM(BPF_REG_2, 4),
2781 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2782 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2783 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2784 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2785 			BPF_MOV64_IMM(BPF_REG_4, 8),
2786 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2787 				     BPF_FUNC_skb_load_bytes),
2788 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2789 			BPF_EXIT_INSN(),
2790 		},
2791 		.result = ACCEPT,
2792 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2793 	},
2794 	{
2795 		"raw_stack: skb_load_bytes, spilled regs around bounds",
2796 		.insns = {
2797 			BPF_MOV64_IMM(BPF_REG_2, 4),
2798 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2800 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2801 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2802 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2803 			BPF_MOV64_IMM(BPF_REG_4, 8),
2804 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2805 				     BPF_FUNC_skb_load_bytes),
2806 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2807 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2808 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2809 				    offsetof(struct __sk_buff, mark)),
2810 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2811 				    offsetof(struct __sk_buff, priority)),
2812 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2813 			BPF_EXIT_INSN(),
2814 		},
2815 		.result = ACCEPT,
2816 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2817 	},
2818 	{
2819 		"raw_stack: skb_load_bytes, spilled regs corruption",
2820 		.insns = {
2821 			BPF_MOV64_IMM(BPF_REG_2, 4),
2822 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2825 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2826 			BPF_MOV64_IMM(BPF_REG_4, 8),
2827 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2828 				     BPF_FUNC_skb_load_bytes),
2829 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2830 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2831 				    offsetof(struct __sk_buff, mark)),
2832 			BPF_EXIT_INSN(),
2833 		},
2834 		.result = REJECT,
2835 		.errstr = "R0 invalid mem access 'inv'",
2836 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2837 	},
2838 	{
2839 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
2840 		.insns = {
2841 			BPF_MOV64_IMM(BPF_REG_2, 4),
2842 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2843 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2844 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2845 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2846 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2847 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2848 			BPF_MOV64_IMM(BPF_REG_4, 8),
2849 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2850 				     BPF_FUNC_skb_load_bytes),
2851 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2852 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2853 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2854 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2855 				    offsetof(struct __sk_buff, mark)),
2856 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2857 				    offsetof(struct __sk_buff, priority)),
2858 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2859 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2860 				    offsetof(struct __sk_buff, pkt_type)),
2861 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2862 			BPF_EXIT_INSN(),
2863 		},
2864 		.result = REJECT,
2865 		.errstr = "R3 invalid mem access 'inv'",
2866 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2867 	},
2868 	{
2869 		"raw_stack: skb_load_bytes, spilled regs + data",
2870 		.insns = {
2871 			BPF_MOV64_IMM(BPF_REG_2, 4),
2872 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2873 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2874 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2875 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2876 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2877 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2878 			BPF_MOV64_IMM(BPF_REG_4, 8),
2879 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2880 				     BPF_FUNC_skb_load_bytes),
2881 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2882 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2883 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2884 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2885 				    offsetof(struct __sk_buff, mark)),
2886 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2887 				    offsetof(struct __sk_buff, priority)),
2888 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2889 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2890 			BPF_EXIT_INSN(),
2891 		},
2892 		.result = ACCEPT,
2893 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2894 	},
2895 	{
2896 		"raw_stack: skb_load_bytes, invalid access 1",
2897 		.insns = {
2898 			BPF_MOV64_IMM(BPF_REG_2, 4),
2899 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2901 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2902 			BPF_MOV64_IMM(BPF_REG_4, 8),
2903 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2904 				     BPF_FUNC_skb_load_bytes),
2905 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2906 			BPF_EXIT_INSN(),
2907 		},
2908 		.result = REJECT,
2909 		.errstr = "invalid stack type R3 off=-513 access_size=8",
2910 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2911 	},
2912 	{
2913 		"raw_stack: skb_load_bytes, invalid access 2",
2914 		.insns = {
2915 			BPF_MOV64_IMM(BPF_REG_2, 4),
2916 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2918 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2919 			BPF_MOV64_IMM(BPF_REG_4, 8),
2920 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2921 				     BPF_FUNC_skb_load_bytes),
2922 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2923 			BPF_EXIT_INSN(),
2924 		},
2925 		.result = REJECT,
2926 		.errstr = "invalid stack type R3 off=-1 access_size=8",
2927 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2928 	},
2929 	{
2930 		"raw_stack: skb_load_bytes, invalid access 3",
2931 		.insns = {
2932 			BPF_MOV64_IMM(BPF_REG_2, 4),
2933 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2935 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2936 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2937 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2938 				     BPF_FUNC_skb_load_bytes),
2939 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2940 			BPF_EXIT_INSN(),
2941 		},
2942 		.result = REJECT,
2943 		.errstr = "R4 min value is negative",
2944 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2945 	},
2946 	{
2947 		"raw_stack: skb_load_bytes, invalid access 4",
2948 		.insns = {
2949 			BPF_MOV64_IMM(BPF_REG_2, 4),
2950 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2951 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2952 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2953 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2954 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2955 				     BPF_FUNC_skb_load_bytes),
2956 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2957 			BPF_EXIT_INSN(),
2958 		},
2959 		.result = REJECT,
2960 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2961 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2962 	},
2963 	{
2964 		"raw_stack: skb_load_bytes, invalid access 5",
2965 		.insns = {
2966 			BPF_MOV64_IMM(BPF_REG_2, 4),
2967 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2969 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2970 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2971 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2972 				     BPF_FUNC_skb_load_bytes),
2973 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2974 			BPF_EXIT_INSN(),
2975 		},
2976 		.result = REJECT,
2977 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2978 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2979 	},
2980 	{
2981 		"raw_stack: skb_load_bytes, invalid access 6",
2982 		.insns = {
2983 			BPF_MOV64_IMM(BPF_REG_2, 4),
2984 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2985 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2986 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2987 			BPF_MOV64_IMM(BPF_REG_4, 0),
2988 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2989 				     BPF_FUNC_skb_load_bytes),
2990 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2991 			BPF_EXIT_INSN(),
2992 		},
2993 		.result = REJECT,
2994 		.errstr = "invalid stack type R3 off=-512 access_size=0",
2995 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2996 	},
2997 	{
2998 		"raw_stack: skb_load_bytes, large access",
2999 		.insns = {
3000 			BPF_MOV64_IMM(BPF_REG_2, 4),
3001 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3002 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3003 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3004 			BPF_MOV64_IMM(BPF_REG_4, 512),
3005 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3006 				     BPF_FUNC_skb_load_bytes),
3007 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3008 			BPF_EXIT_INSN(),
3009 		},
3010 		.result = ACCEPT,
3011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 	},
3013 	{
3014 		"context stores via ST",
3015 		.insns = {
3016 			BPF_MOV64_IMM(BPF_REG_0, 0),
3017 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3018 			BPF_EXIT_INSN(),
3019 		},
3020 		.errstr = "BPF_ST stores into R1 context is not allowed",
3021 		.result = REJECT,
3022 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3023 	},
3024 	{
3025 		"context stores via XADD",
3026 		.insns = {
3027 			BPF_MOV64_IMM(BPF_REG_0, 0),
3028 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3029 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3030 			BPF_EXIT_INSN(),
3031 		},
3032 		.errstr = "BPF_XADD stores into R1 context is not allowed",
3033 		.result = REJECT,
3034 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3035 	},
3036 	{
3037 		"direct packet access: test1",
3038 		.insns = {
3039 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3040 				    offsetof(struct __sk_buff, data)),
3041 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3042 				    offsetof(struct __sk_buff, data_end)),
3043 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3045 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3046 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3047 			BPF_MOV64_IMM(BPF_REG_0, 0),
3048 			BPF_EXIT_INSN(),
3049 		},
3050 		.result = ACCEPT,
3051 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3052 	},
3053 	{
3054 		"direct packet access: test2",
3055 		.insns = {
3056 			BPF_MOV64_IMM(BPF_REG_0, 1),
3057 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3058 				    offsetof(struct __sk_buff, data_end)),
3059 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3060 				    offsetof(struct __sk_buff, data)),
3061 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3062 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3063 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3064 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3065 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3066 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3067 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3068 				    offsetof(struct __sk_buff, data)),
3069 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3070 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3071 				    offsetof(struct __sk_buff, len)),
3072 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3073 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3074 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3075 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3076 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3077 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3078 				    offsetof(struct __sk_buff, data_end)),
3079 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3080 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3081 			BPF_MOV64_IMM(BPF_REG_0, 0),
3082 			BPF_EXIT_INSN(),
3083 		},
3084 		.result = ACCEPT,
3085 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3086 	},
3087 	{
3088 		"direct packet access: test3",
3089 		.insns = {
3090 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3091 				    offsetof(struct __sk_buff, data)),
3092 			BPF_MOV64_IMM(BPF_REG_0, 0),
3093 			BPF_EXIT_INSN(),
3094 		},
3095 		.errstr = "invalid bpf_context access off=76",
3096 		.result = REJECT,
3097 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3098 	},
3099 	{
3100 		"direct packet access: test4 (write)",
3101 		.insns = {
3102 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3103 				    offsetof(struct __sk_buff, data)),
3104 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3105 				    offsetof(struct __sk_buff, data_end)),
3106 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3107 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3108 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3109 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3110 			BPF_MOV64_IMM(BPF_REG_0, 0),
3111 			BPF_EXIT_INSN(),
3112 		},
3113 		.result = ACCEPT,
3114 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3115 	},
3116 	{
3117 		"direct packet access: test5 (pkt_end >= reg, good access)",
3118 		.insns = {
3119 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3120 				    offsetof(struct __sk_buff, data)),
3121 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3122 				    offsetof(struct __sk_buff, data_end)),
3123 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3124 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3125 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3126 			BPF_MOV64_IMM(BPF_REG_0, 1),
3127 			BPF_EXIT_INSN(),
3128 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3129 			BPF_MOV64_IMM(BPF_REG_0, 0),
3130 			BPF_EXIT_INSN(),
3131 		},
3132 		.result = ACCEPT,
3133 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3134 	},
3135 	{
3136 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3137 		.insns = {
3138 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3139 				    offsetof(struct __sk_buff, data)),
3140 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3141 				    offsetof(struct __sk_buff, data_end)),
3142 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3143 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3144 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3145 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3146 			BPF_MOV64_IMM(BPF_REG_0, 1),
3147 			BPF_EXIT_INSN(),
3148 			BPF_MOV64_IMM(BPF_REG_0, 0),
3149 			BPF_EXIT_INSN(),
3150 		},
3151 		.errstr = "invalid access to packet",
3152 		.result = REJECT,
3153 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3154 	},
3155 	{
3156 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3157 		.insns = {
3158 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3159 				    offsetof(struct __sk_buff, data)),
3160 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3161 				    offsetof(struct __sk_buff, data_end)),
3162 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3163 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3164 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3165 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3166 			BPF_MOV64_IMM(BPF_REG_0, 1),
3167 			BPF_EXIT_INSN(),
3168 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3169 			BPF_MOV64_IMM(BPF_REG_0, 0),
3170 			BPF_EXIT_INSN(),
3171 		},
3172 		.errstr = "invalid access to packet",
3173 		.result = REJECT,
3174 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3175 	},
3176 	{
3177 		"direct packet access: test8 (double test, variant 1)",
3178 		.insns = {
3179 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3180 				    offsetof(struct __sk_buff, data)),
3181 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3182 				    offsetof(struct __sk_buff, data_end)),
3183 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3184 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3185 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3186 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3187 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3188 			BPF_MOV64_IMM(BPF_REG_0, 1),
3189 			BPF_EXIT_INSN(),
3190 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3191 			BPF_MOV64_IMM(BPF_REG_0, 0),
3192 			BPF_EXIT_INSN(),
3193 		},
3194 		.result = ACCEPT,
3195 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3196 	},
3197 	{
3198 		"direct packet access: test9 (double test, variant 2)",
3199 		.insns = {
3200 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3201 				    offsetof(struct __sk_buff, data)),
3202 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3203 				    offsetof(struct __sk_buff, data_end)),
3204 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3206 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3207 			BPF_MOV64_IMM(BPF_REG_0, 1),
3208 			BPF_EXIT_INSN(),
3209 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3210 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3211 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3212 			BPF_MOV64_IMM(BPF_REG_0, 0),
3213 			BPF_EXIT_INSN(),
3214 		},
3215 		.result = ACCEPT,
3216 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3217 	},
3218 	{
3219 		"direct packet access: test10 (write invalid)",
3220 		.insns = {
3221 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3222 				    offsetof(struct __sk_buff, data)),
3223 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3224 				    offsetof(struct __sk_buff, data_end)),
3225 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3227 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3228 			BPF_MOV64_IMM(BPF_REG_0, 0),
3229 			BPF_EXIT_INSN(),
3230 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3231 			BPF_MOV64_IMM(BPF_REG_0, 0),
3232 			BPF_EXIT_INSN(),
3233 		},
3234 		.errstr = "invalid access to packet",
3235 		.result = REJECT,
3236 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3237 	},
3238 	{
3239 		"direct packet access: test11 (shift, good access)",
3240 		.insns = {
3241 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3242 				    offsetof(struct __sk_buff, data)),
3243 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3244 				    offsetof(struct __sk_buff, data_end)),
3245 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3246 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3247 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3248 			BPF_MOV64_IMM(BPF_REG_3, 144),
3249 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3250 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3251 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3252 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3253 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3254 			BPF_MOV64_IMM(BPF_REG_0, 1),
3255 			BPF_EXIT_INSN(),
3256 			BPF_MOV64_IMM(BPF_REG_0, 0),
3257 			BPF_EXIT_INSN(),
3258 		},
3259 		.result = ACCEPT,
3260 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3261 		.retval = 1,
3262 	},
3263 	{
3264 		"direct packet access: test12 (and, good access)",
3265 		.insns = {
3266 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3267 				    offsetof(struct __sk_buff, data)),
3268 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3269 				    offsetof(struct __sk_buff, data_end)),
3270 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3272 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3273 			BPF_MOV64_IMM(BPF_REG_3, 144),
3274 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3275 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3276 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3277 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3278 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3279 			BPF_MOV64_IMM(BPF_REG_0, 1),
3280 			BPF_EXIT_INSN(),
3281 			BPF_MOV64_IMM(BPF_REG_0, 0),
3282 			BPF_EXIT_INSN(),
3283 		},
3284 		.result = ACCEPT,
3285 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3286 		.retval = 1,
3287 	},
3288 	{
3289 		"direct packet access: test13 (branches, good access)",
3290 		.insns = {
3291 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3292 				    offsetof(struct __sk_buff, data)),
3293 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3294 				    offsetof(struct __sk_buff, data_end)),
3295 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3297 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3298 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3299 				    offsetof(struct __sk_buff, mark)),
3300 			BPF_MOV64_IMM(BPF_REG_4, 1),
3301 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3302 			BPF_MOV64_IMM(BPF_REG_3, 14),
3303 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3304 			BPF_MOV64_IMM(BPF_REG_3, 24),
3305 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3307 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3308 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3309 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3310 			BPF_MOV64_IMM(BPF_REG_0, 1),
3311 			BPF_EXIT_INSN(),
3312 			BPF_MOV64_IMM(BPF_REG_0, 0),
3313 			BPF_EXIT_INSN(),
3314 		},
3315 		.result = ACCEPT,
3316 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3317 		.retval = 1,
3318 	},
3319 	{
3320 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3321 		.insns = {
3322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3323 				    offsetof(struct __sk_buff, data)),
3324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3325 				    offsetof(struct __sk_buff, data_end)),
3326 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3328 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3329 			BPF_MOV64_IMM(BPF_REG_5, 12),
3330 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3331 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3332 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3333 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3334 			BPF_MOV64_IMM(BPF_REG_0, 1),
3335 			BPF_EXIT_INSN(),
3336 			BPF_MOV64_IMM(BPF_REG_0, 0),
3337 			BPF_EXIT_INSN(),
3338 		},
3339 		.result = ACCEPT,
3340 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3341 		.retval = 1,
3342 	},
3343 	{
3344 		"direct packet access: test15 (spill with xadd)",
3345 		.insns = {
3346 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3347 				    offsetof(struct __sk_buff, data)),
3348 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3349 				    offsetof(struct __sk_buff, data_end)),
3350 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3352 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3353 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3354 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3356 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3357 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3358 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3359 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3360 			BPF_MOV64_IMM(BPF_REG_0, 0),
3361 			BPF_EXIT_INSN(),
3362 		},
3363 		.errstr = "R2 invalid mem access 'inv'",
3364 		.result = REJECT,
3365 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3366 	},
3367 	{
3368 		"direct packet access: test16 (arith on data_end)",
3369 		.insns = {
3370 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 				    offsetof(struct __sk_buff, data)),
3372 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 				    offsetof(struct __sk_buff, data_end)),
3374 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3375 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3377 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3378 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3379 			BPF_MOV64_IMM(BPF_REG_0, 0),
3380 			BPF_EXIT_INSN(),
3381 		},
3382 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3383 		.result = REJECT,
3384 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3385 	},
3386 	{
3387 		"direct packet access: test17 (pruning, alignment)",
3388 		.insns = {
3389 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3390 				    offsetof(struct __sk_buff, data)),
3391 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3392 				    offsetof(struct __sk_buff, data_end)),
3393 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3394 				    offsetof(struct __sk_buff, mark)),
3395 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3397 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3398 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3399 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3400 			BPF_MOV64_IMM(BPF_REG_0, 0),
3401 			BPF_EXIT_INSN(),
3402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3403 			BPF_JMP_A(-6),
3404 		},
3405 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3406 		.result = REJECT,
3407 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3408 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3409 	},
3410 	{
3411 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3412 		.insns = {
3413 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3414 				    offsetof(struct __sk_buff, data)),
3415 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3416 				    offsetof(struct __sk_buff, data_end)),
3417 			BPF_MOV64_IMM(BPF_REG_0, 8),
3418 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3419 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3420 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3421 			BPF_MOV64_IMM(BPF_REG_0, 0),
3422 			BPF_EXIT_INSN(),
3423 		},
3424 		.result = ACCEPT,
3425 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3426 	},
3427 	{
3428 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3429 		.insns = {
3430 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3431 				    offsetof(struct __sk_buff, data)),
3432 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3433 				    offsetof(struct __sk_buff, data_end)),
3434 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3435 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3436 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3437 			BPF_MOV64_IMM(BPF_REG_4, 4),
3438 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3439 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3440 			BPF_MOV64_IMM(BPF_REG_0, 0),
3441 			BPF_EXIT_INSN(),
3442 		},
3443 		.result = ACCEPT,
3444 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3445 	},
3446 	{
3447 		"direct packet access: test20 (x += pkt_ptr, 1)",
3448 		.insns = {
3449 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3450 				    offsetof(struct __sk_buff, data)),
3451 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3452 				    offsetof(struct __sk_buff, data_end)),
3453 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3454 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3455 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3456 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3457 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3458 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3459 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3460 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3461 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3462 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3463 			BPF_MOV64_IMM(BPF_REG_0, 0),
3464 			BPF_EXIT_INSN(),
3465 		},
3466 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 		.result = ACCEPT,
3468 	},
3469 	{
3470 		"direct packet access: test21 (x += pkt_ptr, 2)",
3471 		.insns = {
3472 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3473 				    offsetof(struct __sk_buff, data)),
3474 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3475 				    offsetof(struct __sk_buff, data_end)),
3476 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3477 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3478 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3479 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3480 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3481 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3482 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3483 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3484 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3485 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3486 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3487 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3488 			BPF_MOV64_IMM(BPF_REG_0, 0),
3489 			BPF_EXIT_INSN(),
3490 		},
3491 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3492 		.result = ACCEPT,
3493 	},
3494 	{
3495 		"direct packet access: test22 (x += pkt_ptr, 3)",
3496 		.insns = {
3497 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3498 				    offsetof(struct __sk_buff, data)),
3499 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3500 				    offsetof(struct __sk_buff, data_end)),
3501 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3503 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3504 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3505 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3506 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3507 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3508 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3509 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3510 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3511 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3512 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3513 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3515 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3516 			BPF_MOV64_IMM(BPF_REG_2, 1),
3517 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3518 			BPF_MOV64_IMM(BPF_REG_0, 0),
3519 			BPF_EXIT_INSN(),
3520 		},
3521 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3522 		.result = ACCEPT,
3523 	},
3524 	{
3525 		"direct packet access: test23 (x += pkt_ptr, 4)",
3526 		.insns = {
3527 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3528 				    offsetof(struct __sk_buff, data)),
3529 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3530 				    offsetof(struct __sk_buff, data_end)),
3531 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3532 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3533 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3534 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3535 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3536 			BPF_MOV64_IMM(BPF_REG_0, 31),
3537 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3538 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3539 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3540 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3541 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3542 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3543 			BPF_MOV64_IMM(BPF_REG_0, 0),
3544 			BPF_EXIT_INSN(),
3545 		},
3546 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3547 		.result = REJECT,
3548 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3549 	},
3550 	{
3551 		"direct packet access: test24 (x += pkt_ptr, 5)",
3552 		.insns = {
3553 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3554 				    offsetof(struct __sk_buff, data)),
3555 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3556 				    offsetof(struct __sk_buff, data_end)),
3557 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3558 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3559 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3560 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3561 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3562 			BPF_MOV64_IMM(BPF_REG_0, 64),
3563 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3564 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3565 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3566 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3567 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3568 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3569 			BPF_MOV64_IMM(BPF_REG_0, 0),
3570 			BPF_EXIT_INSN(),
3571 		},
3572 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3573 		.result = ACCEPT,
3574 	},
3575 	{
3576 		"direct packet access: test25 (marking on <, good access)",
3577 		.insns = {
3578 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3579 				    offsetof(struct __sk_buff, data)),
3580 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3581 				    offsetof(struct __sk_buff, data_end)),
3582 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3583 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3584 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3585 			BPF_MOV64_IMM(BPF_REG_0, 0),
3586 			BPF_EXIT_INSN(),
3587 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3588 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3589 		},
3590 		.result = ACCEPT,
3591 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3592 	},
3593 	{
3594 		"direct packet access: test26 (marking on <, bad access)",
3595 		.insns = {
3596 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3597 				    offsetof(struct __sk_buff, data)),
3598 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3599 				    offsetof(struct __sk_buff, data_end)),
3600 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3602 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3603 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3604 			BPF_MOV64_IMM(BPF_REG_0, 0),
3605 			BPF_EXIT_INSN(),
3606 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3607 		},
3608 		.result = REJECT,
3609 		.errstr = "invalid access to packet",
3610 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 	},
3612 	{
3613 		"direct packet access: test27 (marking on <=, good access)",
3614 		.insns = {
3615 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 				    offsetof(struct __sk_buff, data)),
3617 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 				    offsetof(struct __sk_buff, data_end)),
3619 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3622 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3623 			BPF_MOV64_IMM(BPF_REG_0, 1),
3624 			BPF_EXIT_INSN(),
3625 		},
3626 		.result = ACCEPT,
3627 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3628 		.retval = 1,
3629 	},
3630 	{
3631 		"direct packet access: test28 (marking on <=, bad access)",
3632 		.insns = {
3633 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3634 				    offsetof(struct __sk_buff, data)),
3635 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3636 				    offsetof(struct __sk_buff, data_end)),
3637 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3638 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3639 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3640 			BPF_MOV64_IMM(BPF_REG_0, 1),
3641 			BPF_EXIT_INSN(),
3642 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3643 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3644 		},
3645 		.result = REJECT,
3646 		.errstr = "invalid access to packet",
3647 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3648 	},
3649 	{
3650 		"helper access to packet: test1, valid packet_ptr range",
3651 		.insns = {
3652 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3653 				    offsetof(struct xdp_md, data)),
3654 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3655 				    offsetof(struct xdp_md, data_end)),
3656 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3658 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3659 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3660 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3661 			BPF_MOV64_IMM(BPF_REG_4, 0),
3662 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3663 				     BPF_FUNC_map_update_elem),
3664 			BPF_MOV64_IMM(BPF_REG_0, 0),
3665 			BPF_EXIT_INSN(),
3666 		},
3667 		.fixup_map1 = { 5 },
3668 		.result_unpriv = ACCEPT,
3669 		.result = ACCEPT,
3670 		.prog_type = BPF_PROG_TYPE_XDP,
3671 	},
3672 	{
3673 		"helper access to packet: test2, unchecked packet_ptr",
3674 		.insns = {
3675 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3676 				    offsetof(struct xdp_md, data)),
3677 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3678 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3679 				     BPF_FUNC_map_lookup_elem),
3680 			BPF_MOV64_IMM(BPF_REG_0, 0),
3681 			BPF_EXIT_INSN(),
3682 		},
3683 		.fixup_map1 = { 1 },
3684 		.result = REJECT,
3685 		.errstr = "invalid access to packet",
3686 		.prog_type = BPF_PROG_TYPE_XDP,
3687 	},
3688 	{
3689 		"helper access to packet: test3, variable add",
3690 		.insns = {
3691 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3692 					offsetof(struct xdp_md, data)),
3693 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3694 					offsetof(struct xdp_md, data_end)),
3695 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3696 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3697 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3698 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3699 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3700 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3701 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3702 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3703 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3704 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3705 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3706 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3707 				     BPF_FUNC_map_lookup_elem),
3708 			BPF_MOV64_IMM(BPF_REG_0, 0),
3709 			BPF_EXIT_INSN(),
3710 		},
3711 		.fixup_map1 = { 11 },
3712 		.result = ACCEPT,
3713 		.prog_type = BPF_PROG_TYPE_XDP,
3714 	},
3715 	{
3716 		"helper access to packet: test4, packet_ptr with bad range",
3717 		.insns = {
3718 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3719 				    offsetof(struct xdp_md, data)),
3720 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3721 				    offsetof(struct xdp_md, data_end)),
3722 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3723 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3724 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3725 			BPF_MOV64_IMM(BPF_REG_0, 0),
3726 			BPF_EXIT_INSN(),
3727 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3729 				     BPF_FUNC_map_lookup_elem),
3730 			BPF_MOV64_IMM(BPF_REG_0, 0),
3731 			BPF_EXIT_INSN(),
3732 		},
3733 		.fixup_map1 = { 7 },
3734 		.result = REJECT,
3735 		.errstr = "invalid access to packet",
3736 		.prog_type = BPF_PROG_TYPE_XDP,
3737 	},
3738 	{
3739 		"helper access to packet: test5, packet_ptr with too short range",
3740 		.insns = {
3741 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3742 				    offsetof(struct xdp_md, data)),
3743 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3744 				    offsetof(struct xdp_md, data_end)),
3745 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3746 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3748 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3749 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3750 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3751 				     BPF_FUNC_map_lookup_elem),
3752 			BPF_MOV64_IMM(BPF_REG_0, 0),
3753 			BPF_EXIT_INSN(),
3754 		},
3755 		.fixup_map1 = { 6 },
3756 		.result = REJECT,
3757 		.errstr = "invalid access to packet",
3758 		.prog_type = BPF_PROG_TYPE_XDP,
3759 	},
3760 	{
3761 		"helper access to packet: test6, cls valid packet_ptr range",
3762 		.insns = {
3763 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3764 				    offsetof(struct __sk_buff, data)),
3765 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3766 				    offsetof(struct __sk_buff, data_end)),
3767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3769 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3770 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3771 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3772 			BPF_MOV64_IMM(BPF_REG_4, 0),
3773 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 				     BPF_FUNC_map_update_elem),
3775 			BPF_MOV64_IMM(BPF_REG_0, 0),
3776 			BPF_EXIT_INSN(),
3777 		},
3778 		.fixup_map1 = { 5 },
3779 		.result = ACCEPT,
3780 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3781 	},
3782 	{
3783 		"helper access to packet: test7, cls unchecked packet_ptr",
3784 		.insns = {
3785 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 				    offsetof(struct __sk_buff, data)),
3787 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3788 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3789 				     BPF_FUNC_map_lookup_elem),
3790 			BPF_MOV64_IMM(BPF_REG_0, 0),
3791 			BPF_EXIT_INSN(),
3792 		},
3793 		.fixup_map1 = { 1 },
3794 		.result = REJECT,
3795 		.errstr = "invalid access to packet",
3796 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3797 	},
3798 	{
3799 		"helper access to packet: test8, cls variable add",
3800 		.insns = {
3801 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3802 					offsetof(struct __sk_buff, data)),
3803 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3804 					offsetof(struct __sk_buff, data_end)),
3805 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3807 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3808 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3809 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3810 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3811 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3812 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3813 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3814 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3815 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3816 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3817 				     BPF_FUNC_map_lookup_elem),
3818 			BPF_MOV64_IMM(BPF_REG_0, 0),
3819 			BPF_EXIT_INSN(),
3820 		},
3821 		.fixup_map1 = { 11 },
3822 		.result = ACCEPT,
3823 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3824 	},
3825 	{
3826 		"helper access to packet: test9, cls packet_ptr with bad range",
3827 		.insns = {
3828 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3829 				    offsetof(struct __sk_buff, data)),
3830 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3831 				    offsetof(struct __sk_buff, data_end)),
3832 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3833 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3834 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3835 			BPF_MOV64_IMM(BPF_REG_0, 0),
3836 			BPF_EXIT_INSN(),
3837 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3838 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3839 				     BPF_FUNC_map_lookup_elem),
3840 			BPF_MOV64_IMM(BPF_REG_0, 0),
3841 			BPF_EXIT_INSN(),
3842 		},
3843 		.fixup_map1 = { 7 },
3844 		.result = REJECT,
3845 		.errstr = "invalid access to packet",
3846 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3847 	},
3848 	{
3849 		"helper access to packet: test10, cls packet_ptr with too short range",
3850 		.insns = {
3851 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3852 				    offsetof(struct __sk_buff, data)),
3853 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3854 				    offsetof(struct __sk_buff, data_end)),
3855 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3856 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3857 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3858 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3859 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3860 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3861 				     BPF_FUNC_map_lookup_elem),
3862 			BPF_MOV64_IMM(BPF_REG_0, 0),
3863 			BPF_EXIT_INSN(),
3864 		},
3865 		.fixup_map1 = { 6 },
3866 		.result = REJECT,
3867 		.errstr = "invalid access to packet",
3868 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3869 	},
3870 	{
3871 		"helper access to packet: test11, cls unsuitable helper 1",
3872 		.insns = {
3873 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3874 				    offsetof(struct __sk_buff, data)),
3875 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3876 				    offsetof(struct __sk_buff, data_end)),
3877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3878 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3880 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3881 			BPF_MOV64_IMM(BPF_REG_2, 0),
3882 			BPF_MOV64_IMM(BPF_REG_4, 42),
3883 			BPF_MOV64_IMM(BPF_REG_5, 0),
3884 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3885 				     BPF_FUNC_skb_store_bytes),
3886 			BPF_MOV64_IMM(BPF_REG_0, 0),
3887 			BPF_EXIT_INSN(),
3888 		},
3889 		.result = REJECT,
3890 		.errstr = "helper access to the packet",
3891 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3892 	},
3893 	{
3894 		"helper access to packet: test12, cls unsuitable helper 2",
3895 		.insns = {
3896 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3897 				    offsetof(struct __sk_buff, data)),
3898 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3899 				    offsetof(struct __sk_buff, data_end)),
3900 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3901 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3902 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3903 			BPF_MOV64_IMM(BPF_REG_2, 0),
3904 			BPF_MOV64_IMM(BPF_REG_4, 4),
3905 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3906 				     BPF_FUNC_skb_load_bytes),
3907 			BPF_MOV64_IMM(BPF_REG_0, 0),
3908 			BPF_EXIT_INSN(),
3909 		},
3910 		.result = REJECT,
3911 		.errstr = "helper access to the packet",
3912 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3913 	},
3914 	{
3915 		"helper access to packet: test13, cls helper ok",
3916 		.insns = {
3917 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3918 				    offsetof(struct __sk_buff, data)),
3919 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3920 				    offsetof(struct __sk_buff, data_end)),
3921 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3922 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3923 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3924 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3925 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3926 			BPF_MOV64_IMM(BPF_REG_2, 4),
3927 			BPF_MOV64_IMM(BPF_REG_3, 0),
3928 			BPF_MOV64_IMM(BPF_REG_4, 0),
3929 			BPF_MOV64_IMM(BPF_REG_5, 0),
3930 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3931 				     BPF_FUNC_csum_diff),
3932 			BPF_MOV64_IMM(BPF_REG_0, 0),
3933 			BPF_EXIT_INSN(),
3934 		},
3935 		.result = ACCEPT,
3936 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3937 	},
3938 	{
3939 		"helper access to packet: test14, cls helper ok sub",
3940 		.insns = {
3941 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3942 				    offsetof(struct __sk_buff, data)),
3943 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3944 				    offsetof(struct __sk_buff, data_end)),
3945 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3946 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3948 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3949 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3950 			BPF_MOV64_IMM(BPF_REG_2, 4),
3951 			BPF_MOV64_IMM(BPF_REG_3, 0),
3952 			BPF_MOV64_IMM(BPF_REG_4, 0),
3953 			BPF_MOV64_IMM(BPF_REG_5, 0),
3954 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3955 				     BPF_FUNC_csum_diff),
3956 			BPF_MOV64_IMM(BPF_REG_0, 0),
3957 			BPF_EXIT_INSN(),
3958 		},
3959 		.result = ACCEPT,
3960 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3961 	},
3962 	{
3963 		"helper access to packet: test15, cls helper fail sub",
3964 		.insns = {
3965 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3966 				    offsetof(struct __sk_buff, data)),
3967 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3968 				    offsetof(struct __sk_buff, data_end)),
3969 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3970 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3971 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3972 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3973 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3974 			BPF_MOV64_IMM(BPF_REG_2, 4),
3975 			BPF_MOV64_IMM(BPF_REG_3, 0),
3976 			BPF_MOV64_IMM(BPF_REG_4, 0),
3977 			BPF_MOV64_IMM(BPF_REG_5, 0),
3978 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3979 				     BPF_FUNC_csum_diff),
3980 			BPF_MOV64_IMM(BPF_REG_0, 0),
3981 			BPF_EXIT_INSN(),
3982 		},
3983 		.result = REJECT,
3984 		.errstr = "invalid access to packet",
3985 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3986 	},
3987 	{
3988 		"helper access to packet: test16, cls helper fail range 1",
3989 		.insns = {
3990 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3991 				    offsetof(struct __sk_buff, data)),
3992 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3993 				    offsetof(struct __sk_buff, data_end)),
3994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3995 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3996 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3997 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3998 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3999 			BPF_MOV64_IMM(BPF_REG_2, 8),
4000 			BPF_MOV64_IMM(BPF_REG_3, 0),
4001 			BPF_MOV64_IMM(BPF_REG_4, 0),
4002 			BPF_MOV64_IMM(BPF_REG_5, 0),
4003 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4004 				     BPF_FUNC_csum_diff),
4005 			BPF_MOV64_IMM(BPF_REG_0, 0),
4006 			BPF_EXIT_INSN(),
4007 		},
4008 		.result = REJECT,
4009 		.errstr = "invalid access to packet",
4010 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4011 	},
4012 	{
4013 		"helper access to packet: test17, cls helper fail range 2",
4014 		.insns = {
4015 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4016 				    offsetof(struct __sk_buff, data)),
4017 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4018 				    offsetof(struct __sk_buff, data_end)),
4019 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4020 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4021 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4022 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4023 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4024 			BPF_MOV64_IMM(BPF_REG_2, -9),
4025 			BPF_MOV64_IMM(BPF_REG_3, 0),
4026 			BPF_MOV64_IMM(BPF_REG_4, 0),
4027 			BPF_MOV64_IMM(BPF_REG_5, 0),
4028 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4029 				     BPF_FUNC_csum_diff),
4030 			BPF_MOV64_IMM(BPF_REG_0, 0),
4031 			BPF_EXIT_INSN(),
4032 		},
4033 		.result = REJECT,
4034 		.errstr = "R2 min value is negative",
4035 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4036 	},
4037 	{
4038 		"helper access to packet: test18, cls helper fail range 3",
4039 		.insns = {
4040 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4041 				    offsetof(struct __sk_buff, data)),
4042 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4043 				    offsetof(struct __sk_buff, data_end)),
4044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4045 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4046 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4047 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4048 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4049 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4050 			BPF_MOV64_IMM(BPF_REG_3, 0),
4051 			BPF_MOV64_IMM(BPF_REG_4, 0),
4052 			BPF_MOV64_IMM(BPF_REG_5, 0),
4053 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4054 				     BPF_FUNC_csum_diff),
4055 			BPF_MOV64_IMM(BPF_REG_0, 0),
4056 			BPF_EXIT_INSN(),
4057 		},
4058 		.result = REJECT,
4059 		.errstr = "R2 min value is negative",
4060 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4061 	},
4062 	{
4063 		"helper access to packet: test19, cls helper range zero",
4064 		.insns = {
4065 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4066 				    offsetof(struct __sk_buff, data)),
4067 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4068 				    offsetof(struct __sk_buff, data_end)),
4069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4070 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4071 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4072 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4073 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4074 			BPF_MOV64_IMM(BPF_REG_2, 0),
4075 			BPF_MOV64_IMM(BPF_REG_3, 0),
4076 			BPF_MOV64_IMM(BPF_REG_4, 0),
4077 			BPF_MOV64_IMM(BPF_REG_5, 0),
4078 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4079 				     BPF_FUNC_csum_diff),
4080 			BPF_MOV64_IMM(BPF_REG_0, 0),
4081 			BPF_EXIT_INSN(),
4082 		},
4083 		.result = ACCEPT,
4084 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4085 	},
4086 	{
4087 		"helper access to packet: test20, pkt end as input",
4088 		.insns = {
4089 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4090 				    offsetof(struct __sk_buff, data)),
4091 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4092 				    offsetof(struct __sk_buff, data_end)),
4093 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4094 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4096 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4097 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4098 			BPF_MOV64_IMM(BPF_REG_2, 4),
4099 			BPF_MOV64_IMM(BPF_REG_3, 0),
4100 			BPF_MOV64_IMM(BPF_REG_4, 0),
4101 			BPF_MOV64_IMM(BPF_REG_5, 0),
4102 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4103 				     BPF_FUNC_csum_diff),
4104 			BPF_MOV64_IMM(BPF_REG_0, 0),
4105 			BPF_EXIT_INSN(),
4106 		},
4107 		.result = REJECT,
4108 		.errstr = "R1 type=pkt_end expected=fp",
4109 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4110 	},
4111 	{
4112 		"helper access to packet: test21, wrong reg",
4113 		.insns = {
4114 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4115 				    offsetof(struct __sk_buff, data)),
4116 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4117 				    offsetof(struct __sk_buff, data_end)),
4118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4119 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4121 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4122 			BPF_MOV64_IMM(BPF_REG_2, 4),
4123 			BPF_MOV64_IMM(BPF_REG_3, 0),
4124 			BPF_MOV64_IMM(BPF_REG_4, 0),
4125 			BPF_MOV64_IMM(BPF_REG_5, 0),
4126 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4127 				     BPF_FUNC_csum_diff),
4128 			BPF_MOV64_IMM(BPF_REG_0, 0),
4129 			BPF_EXIT_INSN(),
4130 		},
4131 		.result = REJECT,
4132 		.errstr = "invalid access to packet",
4133 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4134 	},
4135 	{
4136 		"valid map access into an array with a constant",
4137 		.insns = {
4138 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4139 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4140 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4141 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4142 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4143 				     BPF_FUNC_map_lookup_elem),
4144 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4145 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4146 				   offsetof(struct test_val, foo)),
4147 			BPF_EXIT_INSN(),
4148 		},
4149 		.fixup_map2 = { 3 },
4150 		.errstr_unpriv = "R0 leaks addr",
4151 		.result_unpriv = REJECT,
4152 		.result = ACCEPT,
4153 	},
4154 	{
4155 		"valid map access into an array with a register",
4156 		.insns = {
4157 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4158 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4159 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4160 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4161 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4162 				     BPF_FUNC_map_lookup_elem),
4163 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4164 			BPF_MOV64_IMM(BPF_REG_1, 4),
4165 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4166 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4167 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4168 				   offsetof(struct test_val, foo)),
4169 			BPF_EXIT_INSN(),
4170 		},
4171 		.fixup_map2 = { 3 },
4172 		.errstr_unpriv = "R0 leaks addr",
4173 		.result_unpriv = REJECT,
4174 		.result = ACCEPT,
4175 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4176 	},
4177 	{
4178 		"valid map access into an array with a variable",
4179 		.insns = {
4180 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4181 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4183 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4184 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4185 				     BPF_FUNC_map_lookup_elem),
4186 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4187 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4188 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4189 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4190 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4191 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4192 				   offsetof(struct test_val, foo)),
4193 			BPF_EXIT_INSN(),
4194 		},
4195 		.fixup_map2 = { 3 },
4196 		.errstr_unpriv = "R0 leaks addr",
4197 		.result_unpriv = REJECT,
4198 		.result = ACCEPT,
4199 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4200 	},
4201 	{
4202 		"valid map access into an array with a signed variable",
4203 		.insns = {
4204 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4205 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4207 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4208 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4209 				     BPF_FUNC_map_lookup_elem),
4210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4211 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4212 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4213 			BPF_MOV32_IMM(BPF_REG_1, 0),
4214 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4215 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4216 			BPF_MOV32_IMM(BPF_REG_1, 0),
4217 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4218 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4219 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4220 				   offsetof(struct test_val, foo)),
4221 			BPF_EXIT_INSN(),
4222 		},
4223 		.fixup_map2 = { 3 },
4224 		.errstr_unpriv = "R0 leaks addr",
4225 		.result_unpriv = REJECT,
4226 		.result = ACCEPT,
4227 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4228 	},
4229 	{
4230 		"invalid map access into an array with a constant",
4231 		.insns = {
4232 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4233 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4234 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4235 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4236 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237 				     BPF_FUNC_map_lookup_elem),
4238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4239 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4240 				   offsetof(struct test_val, foo)),
4241 			BPF_EXIT_INSN(),
4242 		},
4243 		.fixup_map2 = { 3 },
4244 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4245 		.result = REJECT,
4246 	},
4247 	{
4248 		"invalid map access into an array with a register",
4249 		.insns = {
4250 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4251 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4253 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4254 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4255 				     BPF_FUNC_map_lookup_elem),
4256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4257 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4258 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4259 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4260 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4261 				   offsetof(struct test_val, foo)),
4262 			BPF_EXIT_INSN(),
4263 		},
4264 		.fixup_map2 = { 3 },
4265 		.errstr = "R0 min value is outside of the array range",
4266 		.result = REJECT,
4267 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4268 	},
4269 	{
4270 		"invalid map access into an array with a variable",
4271 		.insns = {
4272 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4273 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4274 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4275 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4277 				     BPF_FUNC_map_lookup_elem),
4278 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4279 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4280 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4281 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4282 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4283 				   offsetof(struct test_val, foo)),
4284 			BPF_EXIT_INSN(),
4285 		},
4286 		.fixup_map2 = { 3 },
4287 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4288 		.result = REJECT,
4289 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4290 	},
4291 	{
4292 		"invalid map access into an array with no floor check",
4293 		.insns = {
4294 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4295 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4297 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4298 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4299 				     BPF_FUNC_map_lookup_elem),
4300 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4301 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4302 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4303 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4304 			BPF_MOV32_IMM(BPF_REG_1, 0),
4305 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4306 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4307 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4308 				   offsetof(struct test_val, foo)),
4309 			BPF_EXIT_INSN(),
4310 		},
4311 		.fixup_map2 = { 3 },
4312 		.errstr_unpriv = "R0 leaks addr",
4313 		.errstr = "R0 unbounded memory access",
4314 		.result_unpriv = REJECT,
4315 		.result = REJECT,
4316 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4317 	},
4318 	{
4319 		"invalid map access into an array with a invalid max check",
4320 		.insns = {
4321 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4322 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4323 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4324 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4325 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4326 				     BPF_FUNC_map_lookup_elem),
4327 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4328 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4329 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4330 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4331 			BPF_MOV32_IMM(BPF_REG_1, 0),
4332 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4333 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4334 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4335 				   offsetof(struct test_val, foo)),
4336 			BPF_EXIT_INSN(),
4337 		},
4338 		.fixup_map2 = { 3 },
4339 		.errstr_unpriv = "R0 leaks addr",
4340 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4341 		.result_unpriv = REJECT,
4342 		.result = REJECT,
4343 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4344 	},
4345 	{
4346 		"invalid map access into an array with a invalid max check",
4347 		.insns = {
4348 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4349 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4350 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4351 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4352 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4353 				     BPF_FUNC_map_lookup_elem),
4354 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4355 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4356 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4357 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4358 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4359 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4361 				     BPF_FUNC_map_lookup_elem),
4362 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4363 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4364 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4365 				    offsetof(struct test_val, foo)),
4366 			BPF_EXIT_INSN(),
4367 		},
4368 		.fixup_map2 = { 3, 11 },
4369 		.errstr = "R0 pointer += pointer",
4370 		.result = REJECT,
4371 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4372 	},
4373 	{
4374 		"multiple registers share map_lookup_elem result",
4375 		.insns = {
4376 			BPF_MOV64_IMM(BPF_REG_1, 10),
4377 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4378 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4379 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4380 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4381 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4382 				     BPF_FUNC_map_lookup_elem),
4383 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4384 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4385 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4386 			BPF_EXIT_INSN(),
4387 		},
4388 		.fixup_map1 = { 4 },
4389 		.result = ACCEPT,
4390 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4391 	},
4392 	{
4393 		"alu ops on ptr_to_map_value_or_null, 1",
4394 		.insns = {
4395 			BPF_MOV64_IMM(BPF_REG_1, 10),
4396 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4397 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4399 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4400 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4401 				     BPF_FUNC_map_lookup_elem),
4402 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4403 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4404 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4405 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4406 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4407 			BPF_EXIT_INSN(),
4408 		},
4409 		.fixup_map1 = { 4 },
4410 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4411 		.result = REJECT,
4412 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4413 	},
4414 	{
4415 		"alu ops on ptr_to_map_value_or_null, 2",
4416 		.insns = {
4417 			BPF_MOV64_IMM(BPF_REG_1, 10),
4418 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4419 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4421 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4422 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4423 				     BPF_FUNC_map_lookup_elem),
4424 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4425 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4426 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4427 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4428 			BPF_EXIT_INSN(),
4429 		},
4430 		.fixup_map1 = { 4 },
4431 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4432 		.result = REJECT,
4433 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4434 	},
4435 	{
4436 		"alu ops on ptr_to_map_value_or_null, 3",
4437 		.insns = {
4438 			BPF_MOV64_IMM(BPF_REG_1, 10),
4439 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4440 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4442 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4443 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 				     BPF_FUNC_map_lookup_elem),
4445 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4446 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4447 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4448 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4449 			BPF_EXIT_INSN(),
4450 		},
4451 		.fixup_map1 = { 4 },
4452 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4453 		.result = REJECT,
4454 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4455 	},
4456 	{
4457 		"invalid memory access with multiple map_lookup_elem calls",
4458 		.insns = {
4459 			BPF_MOV64_IMM(BPF_REG_1, 10),
4460 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4461 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4462 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4463 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4464 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4465 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4466 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 				     BPF_FUNC_map_lookup_elem),
4468 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4469 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4470 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4471 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4472 				     BPF_FUNC_map_lookup_elem),
4473 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4474 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4475 			BPF_EXIT_INSN(),
4476 		},
4477 		.fixup_map1 = { 4 },
4478 		.result = REJECT,
4479 		.errstr = "R4 !read_ok",
4480 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4481 	},
4482 	{
4483 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4484 		.insns = {
4485 			BPF_MOV64_IMM(BPF_REG_1, 10),
4486 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4487 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4488 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4489 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4490 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4491 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4493 				     BPF_FUNC_map_lookup_elem),
4494 			BPF_MOV64_IMM(BPF_REG_2, 10),
4495 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4496 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4497 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4498 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4499 				     BPF_FUNC_map_lookup_elem),
4500 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4501 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4502 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4503 			BPF_EXIT_INSN(),
4504 		},
4505 		.fixup_map1 = { 4 },
4506 		.result = ACCEPT,
4507 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4508 	},
4509 	{
4510 		"invalid map access from else condition",
4511 		.insns = {
4512 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4513 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4515 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4516 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4517 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4518 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4519 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4520 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4521 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4522 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4523 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4524 			BPF_EXIT_INSN(),
4525 		},
4526 		.fixup_map2 = { 3 },
4527 		.errstr = "R0 unbounded memory access",
4528 		.result = REJECT,
4529 		.errstr_unpriv = "R0 leaks addr",
4530 		.result_unpriv = REJECT,
4531 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4532 	},
4533 	{
4534 		"constant register |= constant should keep constant type",
4535 		.insns = {
4536 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4537 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4538 			BPF_MOV64_IMM(BPF_REG_2, 34),
4539 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4540 			BPF_MOV64_IMM(BPF_REG_3, 0),
4541 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4542 			BPF_EXIT_INSN(),
4543 		},
4544 		.result = ACCEPT,
4545 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4546 	},
4547 	{
4548 		"constant register |= constant should not bypass stack boundary checks",
4549 		.insns = {
4550 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4551 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4552 			BPF_MOV64_IMM(BPF_REG_2, 34),
4553 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4554 			BPF_MOV64_IMM(BPF_REG_3, 0),
4555 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4556 			BPF_EXIT_INSN(),
4557 		},
4558 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4559 		.result = REJECT,
4560 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4561 	},
4562 	{
4563 		"constant register |= constant register should keep constant type",
4564 		.insns = {
4565 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4566 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4567 			BPF_MOV64_IMM(BPF_REG_2, 34),
4568 			BPF_MOV64_IMM(BPF_REG_4, 13),
4569 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4570 			BPF_MOV64_IMM(BPF_REG_3, 0),
4571 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4572 			BPF_EXIT_INSN(),
4573 		},
4574 		.result = ACCEPT,
4575 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4576 	},
4577 	{
4578 		"constant register |= constant register should not bypass stack boundary checks",
4579 		.insns = {
4580 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4582 			BPF_MOV64_IMM(BPF_REG_2, 34),
4583 			BPF_MOV64_IMM(BPF_REG_4, 24),
4584 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4585 			BPF_MOV64_IMM(BPF_REG_3, 0),
4586 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4587 			BPF_EXIT_INSN(),
4588 		},
4589 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4590 		.result = REJECT,
4591 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4592 	},
4593 	{
4594 		"invalid direct packet write for LWT_IN",
4595 		.insns = {
4596 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4597 				    offsetof(struct __sk_buff, data)),
4598 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4599 				    offsetof(struct __sk_buff, data_end)),
4600 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4602 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4603 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4604 			BPF_MOV64_IMM(BPF_REG_0, 0),
4605 			BPF_EXIT_INSN(),
4606 		},
4607 		.errstr = "cannot write into packet",
4608 		.result = REJECT,
4609 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4610 	},
4611 	{
4612 		"invalid direct packet write for LWT_OUT",
4613 		.insns = {
4614 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4615 				    offsetof(struct __sk_buff, data)),
4616 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4617 				    offsetof(struct __sk_buff, data_end)),
4618 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4619 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4620 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4621 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4622 			BPF_MOV64_IMM(BPF_REG_0, 0),
4623 			BPF_EXIT_INSN(),
4624 		},
4625 		.errstr = "cannot write into packet",
4626 		.result = REJECT,
4627 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4628 	},
4629 	{
4630 		"direct packet write for LWT_XMIT",
4631 		.insns = {
4632 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4633 				    offsetof(struct __sk_buff, data)),
4634 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4635 				    offsetof(struct __sk_buff, data_end)),
4636 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4637 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4638 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4639 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4640 			BPF_MOV64_IMM(BPF_REG_0, 0),
4641 			BPF_EXIT_INSN(),
4642 		},
4643 		.result = ACCEPT,
4644 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4645 	},
4646 	{
4647 		"direct packet read for LWT_IN",
4648 		.insns = {
4649 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4650 				    offsetof(struct __sk_buff, data)),
4651 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4652 				    offsetof(struct __sk_buff, data_end)),
4653 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4655 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4656 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4657 			BPF_MOV64_IMM(BPF_REG_0, 0),
4658 			BPF_EXIT_INSN(),
4659 		},
4660 		.result = ACCEPT,
4661 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4662 	},
4663 	{
4664 		"direct packet read for LWT_OUT",
4665 		.insns = {
4666 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4667 				    offsetof(struct __sk_buff, data)),
4668 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4669 				    offsetof(struct __sk_buff, data_end)),
4670 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4671 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4672 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4673 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4674 			BPF_MOV64_IMM(BPF_REG_0, 0),
4675 			BPF_EXIT_INSN(),
4676 		},
4677 		.result = ACCEPT,
4678 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4679 	},
4680 	{
4681 		"direct packet read for LWT_XMIT",
4682 		.insns = {
4683 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4684 				    offsetof(struct __sk_buff, data)),
4685 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4686 				    offsetof(struct __sk_buff, data_end)),
4687 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4688 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4689 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4690 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4691 			BPF_MOV64_IMM(BPF_REG_0, 0),
4692 			BPF_EXIT_INSN(),
4693 		},
4694 		.result = ACCEPT,
4695 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4696 	},
4697 	{
4698 		"overlapping checks for direct packet access",
4699 		.insns = {
4700 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4701 				    offsetof(struct __sk_buff, data)),
4702 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4703 				    offsetof(struct __sk_buff, data_end)),
4704 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4706 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4707 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4709 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4710 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4711 			BPF_MOV64_IMM(BPF_REG_0, 0),
4712 			BPF_EXIT_INSN(),
4713 		},
4714 		.result = ACCEPT,
4715 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4716 	},
4717 	{
4718 		"invalid access of tc_classid for LWT_IN",
4719 		.insns = {
4720 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4721 				    offsetof(struct __sk_buff, tc_classid)),
4722 			BPF_EXIT_INSN(),
4723 		},
4724 		.result = REJECT,
4725 		.errstr = "invalid bpf_context access",
4726 	},
4727 	{
4728 		"invalid access of tc_classid for LWT_OUT",
4729 		.insns = {
4730 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4731 				    offsetof(struct __sk_buff, tc_classid)),
4732 			BPF_EXIT_INSN(),
4733 		},
4734 		.result = REJECT,
4735 		.errstr = "invalid bpf_context access",
4736 	},
4737 	{
4738 		"invalid access of tc_classid for LWT_XMIT",
4739 		.insns = {
4740 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4741 				    offsetof(struct __sk_buff, tc_classid)),
4742 			BPF_EXIT_INSN(),
4743 		},
4744 		.result = REJECT,
4745 		.errstr = "invalid bpf_context access",
4746 	},
4747 	{
4748 		"leak pointer into ctx 1",
4749 		.insns = {
4750 			BPF_MOV64_IMM(BPF_REG_0, 0),
4751 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4752 				    offsetof(struct __sk_buff, cb[0])),
4753 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4754 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4755 				      offsetof(struct __sk_buff, cb[0])),
4756 			BPF_EXIT_INSN(),
4757 		},
4758 		.fixup_map1 = { 2 },
4759 		.errstr_unpriv = "R2 leaks addr into mem",
4760 		.result_unpriv = REJECT,
4761 		.result = REJECT,
4762 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4763 	},
4764 	{
4765 		"leak pointer into ctx 2",
4766 		.insns = {
4767 			BPF_MOV64_IMM(BPF_REG_0, 0),
4768 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4769 				    offsetof(struct __sk_buff, cb[0])),
4770 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4771 				      offsetof(struct __sk_buff, cb[0])),
4772 			BPF_EXIT_INSN(),
4773 		},
4774 		.errstr_unpriv = "R10 leaks addr into mem",
4775 		.result_unpriv = REJECT,
4776 		.result = REJECT,
4777 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4778 	},
4779 	{
4780 		"leak pointer into ctx 3",
4781 		.insns = {
4782 			BPF_MOV64_IMM(BPF_REG_0, 0),
4783 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4784 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4785 				      offsetof(struct __sk_buff, cb[0])),
4786 			BPF_EXIT_INSN(),
4787 		},
4788 		.fixup_map1 = { 1 },
4789 		.errstr_unpriv = "R2 leaks addr into ctx",
4790 		.result_unpriv = REJECT,
4791 		.result = ACCEPT,
4792 	},
4793 	{
4794 		"leak pointer into map val",
4795 		.insns = {
4796 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4797 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4798 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4801 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4802 				     BPF_FUNC_map_lookup_elem),
4803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4804 			BPF_MOV64_IMM(BPF_REG_3, 0),
4805 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4806 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4807 			BPF_MOV64_IMM(BPF_REG_0, 0),
4808 			BPF_EXIT_INSN(),
4809 		},
4810 		.fixup_map1 = { 4 },
4811 		.errstr_unpriv = "R6 leaks addr into mem",
4812 		.result_unpriv = REJECT,
4813 		.result = ACCEPT,
4814 	},
4815 	{
4816 		"helper access to map: full range",
4817 		.insns = {
4818 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4819 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4820 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4821 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4822 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4823 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4824 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4825 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4826 			BPF_MOV64_IMM(BPF_REG_3, 0),
4827 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4828 			BPF_EXIT_INSN(),
4829 		},
4830 		.fixup_map2 = { 3 },
4831 		.result = ACCEPT,
4832 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4833 	},
4834 	{
4835 		"helper access to map: partial range",
4836 		.insns = {
4837 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4839 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4840 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4841 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4842 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4843 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4844 			BPF_MOV64_IMM(BPF_REG_2, 8),
4845 			BPF_MOV64_IMM(BPF_REG_3, 0),
4846 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4847 			BPF_EXIT_INSN(),
4848 		},
4849 		.fixup_map2 = { 3 },
4850 		.result = ACCEPT,
4851 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4852 	},
4853 	{
4854 		"helper access to map: empty range",
4855 		.insns = {
4856 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4857 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4858 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4859 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4860 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4861 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4862 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4863 			BPF_MOV64_IMM(BPF_REG_2, 0),
4864 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4865 			BPF_EXIT_INSN(),
4866 		},
4867 		.fixup_map2 = { 3 },
4868 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
4869 		.result = REJECT,
4870 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4871 	},
4872 	{
4873 		"helper access to map: out-of-bound range",
4874 		.insns = {
4875 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4876 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4877 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4878 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4879 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4880 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4881 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4882 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4883 			BPF_MOV64_IMM(BPF_REG_3, 0),
4884 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4885 			BPF_EXIT_INSN(),
4886 		},
4887 		.fixup_map2 = { 3 },
4888 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
4889 		.result = REJECT,
4890 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4891 	},
4892 	{
4893 		"helper access to map: negative range",
4894 		.insns = {
4895 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4897 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4898 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4899 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4900 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4901 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4902 			BPF_MOV64_IMM(BPF_REG_2, -8),
4903 			BPF_MOV64_IMM(BPF_REG_3, 0),
4904 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4905 			BPF_EXIT_INSN(),
4906 		},
4907 		.fixup_map2 = { 3 },
4908 		.errstr = "R2 min value is negative",
4909 		.result = REJECT,
4910 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4911 	},
4912 	{
4913 		"helper access to adjusted map (via const imm): full range",
4914 		.insns = {
4915 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4917 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4918 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4919 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4920 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4921 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4923 				offsetof(struct test_val, foo)),
4924 			BPF_MOV64_IMM(BPF_REG_2,
4925 				sizeof(struct test_val) -
4926 				offsetof(struct test_val, foo)),
4927 			BPF_MOV64_IMM(BPF_REG_3, 0),
4928 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4929 			BPF_EXIT_INSN(),
4930 		},
4931 		.fixup_map2 = { 3 },
4932 		.result = ACCEPT,
4933 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4934 	},
4935 	{
4936 		"helper access to adjusted map (via const imm): partial range",
4937 		.insns = {
4938 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4939 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4940 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4941 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4942 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4943 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4944 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4945 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4946 				offsetof(struct test_val, foo)),
4947 			BPF_MOV64_IMM(BPF_REG_2, 8),
4948 			BPF_MOV64_IMM(BPF_REG_3, 0),
4949 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4950 			BPF_EXIT_INSN(),
4951 		},
4952 		.fixup_map2 = { 3 },
4953 		.result = ACCEPT,
4954 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4955 	},
4956 	{
4957 		"helper access to adjusted map (via const imm): empty range",
4958 		.insns = {
4959 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4960 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4961 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4962 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4963 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4964 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4965 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4966 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4967 				offsetof(struct test_val, foo)),
4968 			BPF_MOV64_IMM(BPF_REG_2, 0),
4969 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4970 			BPF_EXIT_INSN(),
4971 		},
4972 		.fixup_map2 = { 3 },
4973 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
4974 		.result = REJECT,
4975 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4976 	},
4977 	{
4978 		"helper access to adjusted map (via const imm): out-of-bound range",
4979 		.insns = {
4980 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4982 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4983 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4984 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4985 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4986 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4987 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4988 				offsetof(struct test_val, foo)),
4989 			BPF_MOV64_IMM(BPF_REG_2,
4990 				sizeof(struct test_val) -
4991 				offsetof(struct test_val, foo) + 8),
4992 			BPF_MOV64_IMM(BPF_REG_3, 0),
4993 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4994 			BPF_EXIT_INSN(),
4995 		},
4996 		.fixup_map2 = { 3 },
4997 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
4998 		.result = REJECT,
4999 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5000 	},
5001 	{
5002 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5003 		.insns = {
5004 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5006 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5008 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5009 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5010 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5011 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5012 				offsetof(struct test_val, foo)),
5013 			BPF_MOV64_IMM(BPF_REG_2, -8),
5014 			BPF_MOV64_IMM(BPF_REG_3, 0),
5015 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5016 			BPF_EXIT_INSN(),
5017 		},
5018 		.fixup_map2 = { 3 },
5019 		.errstr = "R2 min value is negative",
5020 		.result = REJECT,
5021 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5022 	},
5023 	{
5024 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5025 		.insns = {
5026 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5028 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5029 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5030 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5031 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5032 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5033 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5034 				offsetof(struct test_val, foo)),
5035 			BPF_MOV64_IMM(BPF_REG_2, -1),
5036 			BPF_MOV64_IMM(BPF_REG_3, 0),
5037 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5038 			BPF_EXIT_INSN(),
5039 		},
5040 		.fixup_map2 = { 3 },
5041 		.errstr = "R2 min value is negative",
5042 		.result = REJECT,
5043 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5044 	},
5045 	{
5046 		"helper access to adjusted map (via const reg): full range",
5047 		.insns = {
5048 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5049 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5050 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5051 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5052 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5053 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5054 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5055 			BPF_MOV64_IMM(BPF_REG_3,
5056 				offsetof(struct test_val, foo)),
5057 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5058 			BPF_MOV64_IMM(BPF_REG_2,
5059 				sizeof(struct test_val) -
5060 				offsetof(struct test_val, foo)),
5061 			BPF_MOV64_IMM(BPF_REG_3, 0),
5062 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5063 			BPF_EXIT_INSN(),
5064 		},
5065 		.fixup_map2 = { 3 },
5066 		.result = ACCEPT,
5067 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5068 	},
5069 	{
5070 		"helper access to adjusted map (via const reg): partial range",
5071 		.insns = {
5072 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5073 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5074 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5075 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5076 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5077 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5078 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5079 			BPF_MOV64_IMM(BPF_REG_3,
5080 				offsetof(struct test_val, foo)),
5081 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5082 			BPF_MOV64_IMM(BPF_REG_2, 8),
5083 			BPF_MOV64_IMM(BPF_REG_3, 0),
5084 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5085 			BPF_EXIT_INSN(),
5086 		},
5087 		.fixup_map2 = { 3 },
5088 		.result = ACCEPT,
5089 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5090 	},
5091 	{
5092 		"helper access to adjusted map (via const reg): empty range",
5093 		.insns = {
5094 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5097 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5098 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5099 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5100 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5101 			BPF_MOV64_IMM(BPF_REG_3, 0),
5102 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5103 			BPF_MOV64_IMM(BPF_REG_2, 0),
5104 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5105 			BPF_EXIT_INSN(),
5106 		},
5107 		.fixup_map2 = { 3 },
5108 		.errstr = "R1 min value is outside of the array range",
5109 		.result = REJECT,
5110 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5111 	},
5112 	{
5113 		"helper access to adjusted map (via const reg): out-of-bound range",
5114 		.insns = {
5115 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5117 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5118 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5119 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5120 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5121 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5122 			BPF_MOV64_IMM(BPF_REG_3,
5123 				offsetof(struct test_val, foo)),
5124 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5125 			BPF_MOV64_IMM(BPF_REG_2,
5126 				sizeof(struct test_val) -
5127 				offsetof(struct test_val, foo) + 8),
5128 			BPF_MOV64_IMM(BPF_REG_3, 0),
5129 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5130 			BPF_EXIT_INSN(),
5131 		},
5132 		.fixup_map2 = { 3 },
5133 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5134 		.result = REJECT,
5135 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5136 	},
5137 	{
5138 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
5139 		.insns = {
5140 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5141 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5142 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5143 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5144 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5146 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5147 			BPF_MOV64_IMM(BPF_REG_3,
5148 				offsetof(struct test_val, foo)),
5149 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5150 			BPF_MOV64_IMM(BPF_REG_2, -8),
5151 			BPF_MOV64_IMM(BPF_REG_3, 0),
5152 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5153 			BPF_EXIT_INSN(),
5154 		},
5155 		.fixup_map2 = { 3 },
5156 		.errstr = "R2 min value is negative",
5157 		.result = REJECT,
5158 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5159 	},
5160 	{
5161 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
5162 		.insns = {
5163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5165 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5166 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5167 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5168 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5169 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5170 			BPF_MOV64_IMM(BPF_REG_3,
5171 				offsetof(struct test_val, foo)),
5172 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5173 			BPF_MOV64_IMM(BPF_REG_2, -1),
5174 			BPF_MOV64_IMM(BPF_REG_3, 0),
5175 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5176 			BPF_EXIT_INSN(),
5177 		},
5178 		.fixup_map2 = { 3 },
5179 		.errstr = "R2 min value is negative",
5180 		.result = REJECT,
5181 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5182 	},
5183 	{
5184 		"helper access to adjusted map (via variable): full range",
5185 		.insns = {
5186 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5188 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5189 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5190 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5191 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5192 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5193 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5194 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5195 				offsetof(struct test_val, foo), 4),
5196 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5197 			BPF_MOV64_IMM(BPF_REG_2,
5198 				sizeof(struct test_val) -
5199 				offsetof(struct test_val, foo)),
5200 			BPF_MOV64_IMM(BPF_REG_3, 0),
5201 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5202 			BPF_EXIT_INSN(),
5203 		},
5204 		.fixup_map2 = { 3 },
5205 		.result = ACCEPT,
5206 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5207 	},
5208 	{
5209 		"helper access to adjusted map (via variable): partial range",
5210 		.insns = {
5211 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5213 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5214 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5215 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5216 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5217 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5218 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5219 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5220 				offsetof(struct test_val, foo), 4),
5221 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5222 			BPF_MOV64_IMM(BPF_REG_2, 8),
5223 			BPF_MOV64_IMM(BPF_REG_3, 0),
5224 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5225 			BPF_EXIT_INSN(),
5226 		},
5227 		.fixup_map2 = { 3 },
5228 		.result = ACCEPT,
5229 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5230 	},
5231 	{
5232 		"helper access to adjusted map (via variable): empty range",
5233 		.insns = {
5234 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5235 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5236 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5237 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5238 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5239 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5240 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5241 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5242 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5243 				offsetof(struct test_val, foo), 3),
5244 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5245 			BPF_MOV64_IMM(BPF_REG_2, 0),
5246 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5247 			BPF_EXIT_INSN(),
5248 		},
5249 		.fixup_map2 = { 3 },
5250 		.errstr = "R1 min value is outside of the array range",
5251 		.result = REJECT,
5252 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5253 	},
5254 	{
5255 		"helper access to adjusted map (via variable): no max check",
5256 		.insns = {
5257 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5258 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5259 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5260 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5261 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5263 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5264 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5265 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5266 			BPF_MOV64_IMM(BPF_REG_2, 1),
5267 			BPF_MOV64_IMM(BPF_REG_3, 0),
5268 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5269 			BPF_EXIT_INSN(),
5270 		},
5271 		.fixup_map2 = { 3 },
5272 		.errstr = "R1 unbounded memory access",
5273 		.result = REJECT,
5274 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5275 	},
5276 	{
5277 		"helper access to adjusted map (via variable): wrong max check",
5278 		.insns = {
5279 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5280 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5281 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5282 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5283 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5284 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5286 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5287 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5288 				offsetof(struct test_val, foo), 4),
5289 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5290 			BPF_MOV64_IMM(BPF_REG_2,
5291 				sizeof(struct test_val) -
5292 				offsetof(struct test_val, foo) + 1),
5293 			BPF_MOV64_IMM(BPF_REG_3, 0),
5294 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5295 			BPF_EXIT_INSN(),
5296 		},
5297 		.fixup_map2 = { 3 },
5298 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
5299 		.result = REJECT,
5300 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5301 	},
5302 	{
5303 		"helper access to map: bounds check using <, good access",
5304 		.insns = {
5305 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5307 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5308 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5309 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5310 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5311 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5312 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5313 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5314 			BPF_MOV64_IMM(BPF_REG_0, 0),
5315 			BPF_EXIT_INSN(),
5316 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5317 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5318 			BPF_MOV64_IMM(BPF_REG_0, 0),
5319 			BPF_EXIT_INSN(),
5320 		},
5321 		.fixup_map2 = { 3 },
5322 		.result = ACCEPT,
5323 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5324 	},
5325 	{
5326 		"helper access to map: bounds check using <, bad access",
5327 		.insns = {
5328 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5330 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5331 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5332 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5333 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5334 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5335 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5336 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5337 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5338 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5339 			BPF_MOV64_IMM(BPF_REG_0, 0),
5340 			BPF_EXIT_INSN(),
5341 			BPF_MOV64_IMM(BPF_REG_0, 0),
5342 			BPF_EXIT_INSN(),
5343 		},
5344 		.fixup_map2 = { 3 },
5345 		.result = REJECT,
5346 		.errstr = "R1 unbounded memory access",
5347 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5348 	},
5349 	{
5350 		"helper access to map: bounds check using <=, good access",
5351 		.insns = {
5352 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5354 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5355 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5356 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5357 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5358 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5359 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5360 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5361 			BPF_MOV64_IMM(BPF_REG_0, 0),
5362 			BPF_EXIT_INSN(),
5363 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5364 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5365 			BPF_MOV64_IMM(BPF_REG_0, 0),
5366 			BPF_EXIT_INSN(),
5367 		},
5368 		.fixup_map2 = { 3 },
5369 		.result = ACCEPT,
5370 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 	},
5372 	{
5373 		"helper access to map: bounds check using <=, bad access",
5374 		.insns = {
5375 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5379 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5381 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5383 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5384 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5385 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5386 			BPF_MOV64_IMM(BPF_REG_0, 0),
5387 			BPF_EXIT_INSN(),
5388 			BPF_MOV64_IMM(BPF_REG_0, 0),
5389 			BPF_EXIT_INSN(),
5390 		},
5391 		.fixup_map2 = { 3 },
5392 		.result = REJECT,
5393 		.errstr = "R1 unbounded memory access",
5394 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5395 	},
5396 	{
5397 		"helper access to map: bounds check using s<, good access",
5398 		.insns = {
5399 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5401 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5402 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5403 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5404 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5405 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5406 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5407 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5408 			BPF_MOV64_IMM(BPF_REG_0, 0),
5409 			BPF_EXIT_INSN(),
5410 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5411 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5412 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5413 			BPF_MOV64_IMM(BPF_REG_0, 0),
5414 			BPF_EXIT_INSN(),
5415 		},
5416 		.fixup_map2 = { 3 },
5417 		.result = ACCEPT,
5418 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5419 	},
5420 	{
5421 		"helper access to map: bounds check using s<, good access 2",
5422 		.insns = {
5423 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5427 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5431 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5432 			BPF_MOV64_IMM(BPF_REG_0, 0),
5433 			BPF_EXIT_INSN(),
5434 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5435 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5436 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5437 			BPF_MOV64_IMM(BPF_REG_0, 0),
5438 			BPF_EXIT_INSN(),
5439 		},
5440 		.fixup_map2 = { 3 },
5441 		.result = ACCEPT,
5442 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5443 	},
5444 	{
5445 		"helper access to map: bounds check using s<, bad access",
5446 		.insns = {
5447 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5449 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5450 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5451 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5452 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5453 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5454 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5455 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5456 			BPF_MOV64_IMM(BPF_REG_0, 0),
5457 			BPF_EXIT_INSN(),
5458 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5459 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5460 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5461 			BPF_MOV64_IMM(BPF_REG_0, 0),
5462 			BPF_EXIT_INSN(),
5463 		},
5464 		.fixup_map2 = { 3 },
5465 		.result = REJECT,
5466 		.errstr = "R1 min value is negative",
5467 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5468 	},
5469 	{
5470 		"helper access to map: bounds check using s<=, good access",
5471 		.insns = {
5472 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5474 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5475 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5476 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5477 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5478 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5479 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5480 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5481 			BPF_MOV64_IMM(BPF_REG_0, 0),
5482 			BPF_EXIT_INSN(),
5483 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5484 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5485 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5486 			BPF_MOV64_IMM(BPF_REG_0, 0),
5487 			BPF_EXIT_INSN(),
5488 		},
5489 		.fixup_map2 = { 3 },
5490 		.result = ACCEPT,
5491 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5492 	},
5493 	{
5494 		"helper access to map: bounds check using s<=, good access 2",
5495 		.insns = {
5496 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5497 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5498 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5499 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5500 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5501 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5502 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5503 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5504 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5505 			BPF_MOV64_IMM(BPF_REG_0, 0),
5506 			BPF_EXIT_INSN(),
5507 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5508 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5509 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5510 			BPF_MOV64_IMM(BPF_REG_0, 0),
5511 			BPF_EXIT_INSN(),
5512 		},
5513 		.fixup_map2 = { 3 },
5514 		.result = ACCEPT,
5515 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5516 	},
5517 	{
5518 		"helper access to map: bounds check using s<=, bad access",
5519 		.insns = {
5520 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5522 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5523 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5524 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5525 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5526 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5527 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5528 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5529 			BPF_MOV64_IMM(BPF_REG_0, 0),
5530 			BPF_EXIT_INSN(),
5531 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5532 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5533 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5534 			BPF_MOV64_IMM(BPF_REG_0, 0),
5535 			BPF_EXIT_INSN(),
5536 		},
5537 		.fixup_map2 = { 3 },
5538 		.result = REJECT,
5539 		.errstr = "R1 min value is negative",
5540 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5541 	},
5542 	{
5543 		"map element value is preserved across register spilling",
5544 		.insns = {
5545 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5547 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5548 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5549 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5550 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5551 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5552 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5554 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5555 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5556 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5557 			BPF_EXIT_INSN(),
5558 		},
5559 		.fixup_map2 = { 3 },
5560 		.errstr_unpriv = "R0 leaks addr",
5561 		.result = ACCEPT,
5562 		.result_unpriv = REJECT,
5563 	},
5564 	{
5565 		"map element value or null is marked on register spilling",
5566 		.insns = {
5567 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5569 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5570 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5571 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5572 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5573 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5574 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5575 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5576 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5577 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5578 			BPF_EXIT_INSN(),
5579 		},
5580 		.fixup_map2 = { 3 },
5581 		.errstr_unpriv = "R0 leaks addr",
5582 		.result = ACCEPT,
5583 		.result_unpriv = REJECT,
5584 	},
5585 	{
5586 		"map element value store of cleared call register",
5587 		.insns = {
5588 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5592 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5594 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5595 			BPF_EXIT_INSN(),
5596 		},
5597 		.fixup_map2 = { 3 },
5598 		.errstr_unpriv = "R1 !read_ok",
5599 		.errstr = "R1 !read_ok",
5600 		.result = REJECT,
5601 		.result_unpriv = REJECT,
5602 	},
5603 	{
5604 		"map element value with unaligned store",
5605 		.insns = {
5606 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5607 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5608 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5609 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5610 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5611 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5612 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5613 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5614 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5615 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5616 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5617 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5618 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5619 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5621 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5622 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5623 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5624 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5625 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5626 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5627 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5628 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5629 			BPF_EXIT_INSN(),
5630 		},
5631 		.fixup_map2 = { 3 },
5632 		.errstr_unpriv = "R0 leaks addr",
5633 		.result = ACCEPT,
5634 		.result_unpriv = REJECT,
5635 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5636 	},
5637 	{
5638 		"map element value with unaligned load",
5639 		.insns = {
5640 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5641 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5642 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5643 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5644 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5645 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5646 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5647 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5648 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5649 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5650 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5651 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5652 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5653 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5655 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5656 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5657 			BPF_EXIT_INSN(),
5658 		},
5659 		.fixup_map2 = { 3 },
5660 		.errstr_unpriv = "R0 leaks addr",
5661 		.result = ACCEPT,
5662 		.result_unpriv = REJECT,
5663 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5664 	},
5665 	{
5666 		"map element value illegal alu op, 1",
5667 		.insns = {
5668 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5669 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5670 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5671 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5672 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5673 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5674 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5675 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5676 			BPF_EXIT_INSN(),
5677 		},
5678 		.fixup_map2 = { 3 },
5679 		.errstr = "R0 bitwise operator &= on pointer",
5680 		.result = REJECT,
5681 	},
5682 	{
5683 		"map element value illegal alu op, 2",
5684 		.insns = {
5685 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5687 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5688 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5690 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5691 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5692 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5693 			BPF_EXIT_INSN(),
5694 		},
5695 		.fixup_map2 = { 3 },
5696 		.errstr = "R0 32-bit pointer arithmetic prohibited",
5697 		.result = REJECT,
5698 	},
5699 	{
5700 		"map element value illegal alu op, 3",
5701 		.insns = {
5702 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5704 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5705 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5706 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5707 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5708 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5709 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5710 			BPF_EXIT_INSN(),
5711 		},
5712 		.fixup_map2 = { 3 },
5713 		.errstr = "R0 pointer arithmetic with /= operator",
5714 		.result = REJECT,
5715 	},
5716 	{
5717 		"map element value illegal alu op, 4",
5718 		.insns = {
5719 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5721 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5722 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5723 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5724 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5725 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5726 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5727 			BPF_EXIT_INSN(),
5728 		},
5729 		.fixup_map2 = { 3 },
5730 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
5731 		.errstr = "invalid mem access 'inv'",
5732 		.result = REJECT,
5733 		.result_unpriv = REJECT,
5734 	},
5735 	{
5736 		"map element value illegal alu op, 5",
5737 		.insns = {
5738 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5739 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5740 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5741 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5742 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5743 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5744 			BPF_MOV64_IMM(BPF_REG_3, 4096),
5745 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5746 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5747 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5748 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5749 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5750 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5751 			BPF_EXIT_INSN(),
5752 		},
5753 		.fixup_map2 = { 3 },
5754 		.errstr = "R0 invalid mem access 'inv'",
5755 		.result = REJECT,
5756 	},
5757 	{
5758 		"map element value is preserved across register spilling",
5759 		.insns = {
5760 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5762 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5763 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5764 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5765 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5767 				offsetof(struct test_val, foo)),
5768 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5769 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5771 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5772 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5773 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5774 			BPF_EXIT_INSN(),
5775 		},
5776 		.fixup_map2 = { 3 },
5777 		.errstr_unpriv = "R0 leaks addr",
5778 		.result = ACCEPT,
5779 		.result_unpriv = REJECT,
5780 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5781 	},
5782 	{
5783 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5784 		.insns = {
5785 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5786 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5787 			BPF_MOV64_IMM(BPF_REG_0, 0),
5788 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5789 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5790 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5791 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5792 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5793 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5794 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5795 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5796 			BPF_MOV64_IMM(BPF_REG_2, 16),
5797 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5798 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5799 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5800 			BPF_MOV64_IMM(BPF_REG_4, 0),
5801 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5802 			BPF_MOV64_IMM(BPF_REG_3, 0),
5803 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5804 			BPF_MOV64_IMM(BPF_REG_0, 0),
5805 			BPF_EXIT_INSN(),
5806 		},
5807 		.result = ACCEPT,
5808 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5809 	},
5810 	{
5811 		"helper access to variable memory: stack, bitwise AND, zero included",
5812 		.insns = {
5813 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5815 			BPF_MOV64_IMM(BPF_REG_2, 16),
5816 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5817 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5818 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5819 			BPF_MOV64_IMM(BPF_REG_3, 0),
5820 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5821 			BPF_EXIT_INSN(),
5822 		},
5823 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5824 		.result = REJECT,
5825 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5826 	},
5827 	{
5828 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5829 		.insns = {
5830 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5832 			BPF_MOV64_IMM(BPF_REG_2, 16),
5833 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5834 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5835 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5836 			BPF_MOV64_IMM(BPF_REG_4, 0),
5837 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5838 			BPF_MOV64_IMM(BPF_REG_3, 0),
5839 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5840 			BPF_MOV64_IMM(BPF_REG_0, 0),
5841 			BPF_EXIT_INSN(),
5842 		},
5843 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5844 		.result = REJECT,
5845 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5846 	},
5847 	{
5848 		"helper access to variable memory: stack, JMP, correct bounds",
5849 		.insns = {
5850 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5851 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5852 			BPF_MOV64_IMM(BPF_REG_0, 0),
5853 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5854 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5855 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5856 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5857 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5858 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5859 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5860 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5861 			BPF_MOV64_IMM(BPF_REG_2, 16),
5862 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5863 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5864 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5865 			BPF_MOV64_IMM(BPF_REG_4, 0),
5866 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5867 			BPF_MOV64_IMM(BPF_REG_3, 0),
5868 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5869 			BPF_MOV64_IMM(BPF_REG_0, 0),
5870 			BPF_EXIT_INSN(),
5871 		},
5872 		.result = ACCEPT,
5873 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5874 	},
5875 	{
5876 		"helper access to variable memory: stack, JMP (signed), correct bounds",
5877 		.insns = {
5878 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5880 			BPF_MOV64_IMM(BPF_REG_0, 0),
5881 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5882 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5883 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5884 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5885 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5886 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5887 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5888 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5889 			BPF_MOV64_IMM(BPF_REG_2, 16),
5890 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5891 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5892 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5893 			BPF_MOV64_IMM(BPF_REG_4, 0),
5894 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5895 			BPF_MOV64_IMM(BPF_REG_3, 0),
5896 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5897 			BPF_MOV64_IMM(BPF_REG_0, 0),
5898 			BPF_EXIT_INSN(),
5899 		},
5900 		.result = ACCEPT,
5901 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5902 	},
5903 	{
5904 		"helper access to variable memory: stack, JMP, bounds + offset",
5905 		.insns = {
5906 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5908 			BPF_MOV64_IMM(BPF_REG_2, 16),
5909 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5910 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5911 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5912 			BPF_MOV64_IMM(BPF_REG_4, 0),
5913 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5915 			BPF_MOV64_IMM(BPF_REG_3, 0),
5916 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5917 			BPF_MOV64_IMM(BPF_REG_0, 0),
5918 			BPF_EXIT_INSN(),
5919 		},
5920 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5921 		.result = REJECT,
5922 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5923 	},
5924 	{
5925 		"helper access to variable memory: stack, JMP, wrong max",
5926 		.insns = {
5927 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5928 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5929 			BPF_MOV64_IMM(BPF_REG_2, 16),
5930 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5931 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5932 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5933 			BPF_MOV64_IMM(BPF_REG_4, 0),
5934 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5935 			BPF_MOV64_IMM(BPF_REG_3, 0),
5936 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5937 			BPF_MOV64_IMM(BPF_REG_0, 0),
5938 			BPF_EXIT_INSN(),
5939 		},
5940 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5941 		.result = REJECT,
5942 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5943 	},
5944 	{
5945 		"helper access to variable memory: stack, JMP, no max check",
5946 		.insns = {
5947 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5949 			BPF_MOV64_IMM(BPF_REG_2, 16),
5950 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5951 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5952 			BPF_MOV64_IMM(BPF_REG_4, 0),
5953 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5954 			BPF_MOV64_IMM(BPF_REG_3, 0),
5955 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5956 			BPF_MOV64_IMM(BPF_REG_0, 0),
5957 			BPF_EXIT_INSN(),
5958 		},
5959 		/* because max wasn't checked, signed min is negative */
5960 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5961 		.result = REJECT,
5962 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5963 	},
5964 	{
5965 		"helper access to variable memory: stack, JMP, no min check",
5966 		.insns = {
5967 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5969 			BPF_MOV64_IMM(BPF_REG_2, 16),
5970 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5971 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5972 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5973 			BPF_MOV64_IMM(BPF_REG_3, 0),
5974 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5975 			BPF_MOV64_IMM(BPF_REG_0, 0),
5976 			BPF_EXIT_INSN(),
5977 		},
5978 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5979 		.result = REJECT,
5980 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5981 	},
5982 	{
5983 		"helper access to variable memory: stack, JMP (signed), no min check",
5984 		.insns = {
5985 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5986 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5987 			BPF_MOV64_IMM(BPF_REG_2, 16),
5988 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5989 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5990 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5991 			BPF_MOV64_IMM(BPF_REG_3, 0),
5992 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5993 			BPF_MOV64_IMM(BPF_REG_0, 0),
5994 			BPF_EXIT_INSN(),
5995 		},
5996 		.errstr = "R2 min value is negative",
5997 		.result = REJECT,
5998 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5999 	},
6000 	{
6001 		"helper access to variable memory: map, JMP, correct bounds",
6002 		.insns = {
6003 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6004 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6005 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6006 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6007 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6008 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6009 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6010 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6011 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6012 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6013 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6014 				sizeof(struct test_val), 4),
6015 			BPF_MOV64_IMM(BPF_REG_4, 0),
6016 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6017 			BPF_MOV64_IMM(BPF_REG_3, 0),
6018 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6019 			BPF_MOV64_IMM(BPF_REG_0, 0),
6020 			BPF_EXIT_INSN(),
6021 		},
6022 		.fixup_map2 = { 3 },
6023 		.result = ACCEPT,
6024 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6025 	},
6026 	{
6027 		"helper access to variable memory: map, JMP, wrong max",
6028 		.insns = {
6029 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6030 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6031 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6032 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6034 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6035 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6036 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6037 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6038 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6039 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6040 				sizeof(struct test_val) + 1, 4),
6041 			BPF_MOV64_IMM(BPF_REG_4, 0),
6042 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6043 			BPF_MOV64_IMM(BPF_REG_3, 0),
6044 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6045 			BPF_MOV64_IMM(BPF_REG_0, 0),
6046 			BPF_EXIT_INSN(),
6047 		},
6048 		.fixup_map2 = { 3 },
6049 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
6050 		.result = REJECT,
6051 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6052 	},
6053 	{
6054 		"helper access to variable memory: map adjusted, JMP, correct bounds",
6055 		.insns = {
6056 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6058 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6059 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6060 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6061 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6062 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6064 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6065 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6066 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6067 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6068 				sizeof(struct test_val) - 20, 4),
6069 			BPF_MOV64_IMM(BPF_REG_4, 0),
6070 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6071 			BPF_MOV64_IMM(BPF_REG_3, 0),
6072 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6073 			BPF_MOV64_IMM(BPF_REG_0, 0),
6074 			BPF_EXIT_INSN(),
6075 		},
6076 		.fixup_map2 = { 3 },
6077 		.result = ACCEPT,
6078 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6079 	},
6080 	{
6081 		"helper access to variable memory: map adjusted, JMP, wrong max",
6082 		.insns = {
6083 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6085 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6086 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6087 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6088 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6089 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6090 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6091 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6092 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6093 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6094 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6095 				sizeof(struct test_val) - 19, 4),
6096 			BPF_MOV64_IMM(BPF_REG_4, 0),
6097 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6098 			BPF_MOV64_IMM(BPF_REG_3, 0),
6099 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6100 			BPF_MOV64_IMM(BPF_REG_0, 0),
6101 			BPF_EXIT_INSN(),
6102 		},
6103 		.fixup_map2 = { 3 },
6104 		.errstr = "R1 min value is outside of the array range",
6105 		.result = REJECT,
6106 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6107 	},
6108 	{
6109 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6110 		.insns = {
6111 			BPF_MOV64_IMM(BPF_REG_1, 0),
6112 			BPF_MOV64_IMM(BPF_REG_2, 0),
6113 			BPF_MOV64_IMM(BPF_REG_3, 0),
6114 			BPF_MOV64_IMM(BPF_REG_4, 0),
6115 			BPF_MOV64_IMM(BPF_REG_5, 0),
6116 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6117 			BPF_EXIT_INSN(),
6118 		},
6119 		.result = ACCEPT,
6120 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6121 	},
6122 	{
6123 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6124 		.insns = {
6125 			BPF_MOV64_IMM(BPF_REG_1, 0),
6126 			BPF_MOV64_IMM(BPF_REG_2, 1),
6127 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6128 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6129 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6130 			BPF_MOV64_IMM(BPF_REG_3, 0),
6131 			BPF_MOV64_IMM(BPF_REG_4, 0),
6132 			BPF_MOV64_IMM(BPF_REG_5, 0),
6133 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6134 			BPF_EXIT_INSN(),
6135 		},
6136 		.errstr = "R1 type=inv expected=fp",
6137 		.result = REJECT,
6138 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6139 	},
6140 	{
6141 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6142 		.insns = {
6143 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6145 			BPF_MOV64_IMM(BPF_REG_2, 0),
6146 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6147 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6148 			BPF_MOV64_IMM(BPF_REG_3, 0),
6149 			BPF_MOV64_IMM(BPF_REG_4, 0),
6150 			BPF_MOV64_IMM(BPF_REG_5, 0),
6151 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6152 			BPF_EXIT_INSN(),
6153 		},
6154 		.result = ACCEPT,
6155 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6156 	},
6157 	{
6158 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6159 		.insns = {
6160 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6161 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6163 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6164 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6165 				     BPF_FUNC_map_lookup_elem),
6166 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6167 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6168 			BPF_MOV64_IMM(BPF_REG_2, 0),
6169 			BPF_MOV64_IMM(BPF_REG_3, 0),
6170 			BPF_MOV64_IMM(BPF_REG_4, 0),
6171 			BPF_MOV64_IMM(BPF_REG_5, 0),
6172 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6173 			BPF_EXIT_INSN(),
6174 		},
6175 		.fixup_map1 = { 3 },
6176 		.result = ACCEPT,
6177 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6178 	},
6179 	{
6180 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6181 		.insns = {
6182 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6183 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6184 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6185 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6186 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6187 				     BPF_FUNC_map_lookup_elem),
6188 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6189 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6190 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6193 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6194 			BPF_MOV64_IMM(BPF_REG_3, 0),
6195 			BPF_MOV64_IMM(BPF_REG_4, 0),
6196 			BPF_MOV64_IMM(BPF_REG_5, 0),
6197 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6198 			BPF_EXIT_INSN(),
6199 		},
6200 		.fixup_map1 = { 3 },
6201 		.result = ACCEPT,
6202 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6203 	},
6204 	{
6205 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6206 		.insns = {
6207 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6208 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6210 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6211 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6212 				     BPF_FUNC_map_lookup_elem),
6213 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6214 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6215 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6216 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6217 			BPF_MOV64_IMM(BPF_REG_3, 0),
6218 			BPF_MOV64_IMM(BPF_REG_4, 0),
6219 			BPF_MOV64_IMM(BPF_REG_5, 0),
6220 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6221 			BPF_EXIT_INSN(),
6222 		},
6223 		.fixup_map1 = { 3 },
6224 		.result = ACCEPT,
6225 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6226 	},
6227 	{
6228 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6229 		.insns = {
6230 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6231 				    offsetof(struct __sk_buff, data)),
6232 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6233 				    offsetof(struct __sk_buff, data_end)),
6234 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6235 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6236 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6237 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6238 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6239 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6240 			BPF_MOV64_IMM(BPF_REG_3, 0),
6241 			BPF_MOV64_IMM(BPF_REG_4, 0),
6242 			BPF_MOV64_IMM(BPF_REG_5, 0),
6243 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6244 			BPF_EXIT_INSN(),
6245 		},
6246 		.result = ACCEPT,
6247 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6248 		.retval = 0 /* csum_diff of 64-byte packet */,
6249 	},
6250 	{
6251 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6252 		.insns = {
6253 			BPF_MOV64_IMM(BPF_REG_1, 0),
6254 			BPF_MOV64_IMM(BPF_REG_2, 0),
6255 			BPF_MOV64_IMM(BPF_REG_3, 0),
6256 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6257 			BPF_EXIT_INSN(),
6258 		},
6259 		.errstr = "R1 type=inv expected=fp",
6260 		.result = REJECT,
6261 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6262 	},
6263 	{
6264 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6265 		.insns = {
6266 			BPF_MOV64_IMM(BPF_REG_1, 0),
6267 			BPF_MOV64_IMM(BPF_REG_2, 1),
6268 			BPF_MOV64_IMM(BPF_REG_3, 0),
6269 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6270 			BPF_EXIT_INSN(),
6271 		},
6272 		.errstr = "R1 type=inv expected=fp",
6273 		.result = REJECT,
6274 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6275 	},
6276 	{
6277 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6278 		.insns = {
6279 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6280 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6281 			BPF_MOV64_IMM(BPF_REG_2, 0),
6282 			BPF_MOV64_IMM(BPF_REG_3, 0),
6283 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6284 			BPF_EXIT_INSN(),
6285 		},
6286 		.result = ACCEPT,
6287 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6288 	},
6289 	{
6290 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6291 		.insns = {
6292 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6293 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6294 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6295 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6296 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6297 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6298 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6299 			BPF_MOV64_IMM(BPF_REG_2, 0),
6300 			BPF_MOV64_IMM(BPF_REG_3, 0),
6301 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6302 			BPF_EXIT_INSN(),
6303 		},
6304 		.fixup_map1 = { 3 },
6305 		.result = ACCEPT,
6306 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6307 	},
6308 	{
6309 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6310 		.insns = {
6311 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6312 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6314 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6315 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6316 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6317 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6318 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6319 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6321 			BPF_MOV64_IMM(BPF_REG_3, 0),
6322 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6323 			BPF_EXIT_INSN(),
6324 		},
6325 		.fixup_map1 = { 3 },
6326 		.result = ACCEPT,
6327 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6328 	},
6329 	{
6330 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6331 		.insns = {
6332 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6333 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6335 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6336 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6337 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6339 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6340 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6341 			BPF_MOV64_IMM(BPF_REG_3, 0),
6342 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6343 			BPF_EXIT_INSN(),
6344 		},
6345 		.fixup_map1 = { 3 },
6346 		.result = ACCEPT,
6347 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6348 	},
6349 	{
6350 		"helper access to variable memory: 8 bytes leak",
6351 		.insns = {
6352 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6354 			BPF_MOV64_IMM(BPF_REG_0, 0),
6355 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6356 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6357 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6358 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6359 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6360 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6361 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6362 			BPF_MOV64_IMM(BPF_REG_2, 1),
6363 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6364 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6365 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6366 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6367 			BPF_MOV64_IMM(BPF_REG_3, 0),
6368 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6369 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6370 			BPF_EXIT_INSN(),
6371 		},
6372 		.errstr = "invalid indirect read from stack off -64+32 size 64",
6373 		.result = REJECT,
6374 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6375 	},
6376 	{
6377 		"helper access to variable memory: 8 bytes no leak (init memory)",
6378 		.insns = {
6379 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6380 			BPF_MOV64_IMM(BPF_REG_0, 0),
6381 			BPF_MOV64_IMM(BPF_REG_0, 0),
6382 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6383 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6384 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6385 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6386 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6387 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6388 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6389 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6390 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6391 			BPF_MOV64_IMM(BPF_REG_2, 0),
6392 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6393 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6394 			BPF_MOV64_IMM(BPF_REG_3, 0),
6395 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6396 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6397 			BPF_EXIT_INSN(),
6398 		},
6399 		.result = ACCEPT,
6400 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6401 	},
6402 	{
6403 		"invalid and of negative number",
6404 		.insns = {
6405 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6406 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6407 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6408 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6409 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6410 				     BPF_FUNC_map_lookup_elem),
6411 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6412 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6413 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6414 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6415 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6416 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6417 				   offsetof(struct test_val, foo)),
6418 			BPF_EXIT_INSN(),
6419 		},
6420 		.fixup_map2 = { 3 },
6421 		.errstr = "R0 max value is outside of the array range",
6422 		.result = REJECT,
6423 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6424 	},
6425 	{
6426 		"invalid range check",
6427 		.insns = {
6428 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6429 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6430 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6431 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6432 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6433 				     BPF_FUNC_map_lookup_elem),
6434 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6435 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6436 			BPF_MOV64_IMM(BPF_REG_9, 1),
6437 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6438 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6439 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6440 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6441 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6442 			BPF_MOV32_IMM(BPF_REG_3, 1),
6443 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6444 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6445 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6446 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6447 			BPF_MOV64_REG(BPF_REG_0, 0),
6448 			BPF_EXIT_INSN(),
6449 		},
6450 		.fixup_map2 = { 3 },
6451 		.errstr = "R0 max value is outside of the array range",
6452 		.result = REJECT,
6453 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6454 	},
6455 	{
6456 		"map in map access",
6457 		.insns = {
6458 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6459 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6460 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6461 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6462 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6463 				     BPF_FUNC_map_lookup_elem),
6464 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6465 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6466 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6467 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6468 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6469 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6470 				     BPF_FUNC_map_lookup_elem),
6471 			BPF_MOV64_REG(BPF_REG_0, 0),
6472 			BPF_EXIT_INSN(),
6473 		},
6474 		.fixup_map_in_map = { 3 },
6475 		.result = ACCEPT,
6476 	},
6477 	{
6478 		"invalid inner map pointer",
6479 		.insns = {
6480 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6481 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6483 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6484 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6485 				     BPF_FUNC_map_lookup_elem),
6486 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6487 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6488 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6490 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6491 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6493 				     BPF_FUNC_map_lookup_elem),
6494 			BPF_MOV64_REG(BPF_REG_0, 0),
6495 			BPF_EXIT_INSN(),
6496 		},
6497 		.fixup_map_in_map = { 3 },
6498 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6499 		.result = REJECT,
6500 	},
6501 	{
6502 		"forgot null checking on the inner map pointer",
6503 		.insns = {
6504 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6505 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6506 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6507 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6508 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6509 				     BPF_FUNC_map_lookup_elem),
6510 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6511 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6512 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6513 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6514 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6515 				     BPF_FUNC_map_lookup_elem),
6516 			BPF_MOV64_REG(BPF_REG_0, 0),
6517 			BPF_EXIT_INSN(),
6518 		},
6519 		.fixup_map_in_map = { 3 },
6520 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
6521 		.result = REJECT,
6522 	},
6523 	{
6524 		"ld_abs: check calling conv, r1",
6525 		.insns = {
6526 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6527 			BPF_MOV64_IMM(BPF_REG_1, 0),
6528 			BPF_LD_ABS(BPF_W, -0x200000),
6529 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6530 			BPF_EXIT_INSN(),
6531 		},
6532 		.errstr = "R1 !read_ok",
6533 		.result = REJECT,
6534 	},
6535 	{
6536 		"ld_abs: check calling conv, r2",
6537 		.insns = {
6538 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6539 			BPF_MOV64_IMM(BPF_REG_2, 0),
6540 			BPF_LD_ABS(BPF_W, -0x200000),
6541 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6542 			BPF_EXIT_INSN(),
6543 		},
6544 		.errstr = "R2 !read_ok",
6545 		.result = REJECT,
6546 	},
6547 	{
6548 		"ld_abs: check calling conv, r3",
6549 		.insns = {
6550 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6551 			BPF_MOV64_IMM(BPF_REG_3, 0),
6552 			BPF_LD_ABS(BPF_W, -0x200000),
6553 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6554 			BPF_EXIT_INSN(),
6555 		},
6556 		.errstr = "R3 !read_ok",
6557 		.result = REJECT,
6558 	},
6559 	{
6560 		"ld_abs: check calling conv, r4",
6561 		.insns = {
6562 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6563 			BPF_MOV64_IMM(BPF_REG_4, 0),
6564 			BPF_LD_ABS(BPF_W, -0x200000),
6565 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6566 			BPF_EXIT_INSN(),
6567 		},
6568 		.errstr = "R4 !read_ok",
6569 		.result = REJECT,
6570 	},
6571 	{
6572 		"ld_abs: check calling conv, r5",
6573 		.insns = {
6574 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6575 			BPF_MOV64_IMM(BPF_REG_5, 0),
6576 			BPF_LD_ABS(BPF_W, -0x200000),
6577 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6578 			BPF_EXIT_INSN(),
6579 		},
6580 		.errstr = "R5 !read_ok",
6581 		.result = REJECT,
6582 	},
6583 	{
6584 		"ld_abs: check calling conv, r7",
6585 		.insns = {
6586 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6587 			BPF_MOV64_IMM(BPF_REG_7, 0),
6588 			BPF_LD_ABS(BPF_W, -0x200000),
6589 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6590 			BPF_EXIT_INSN(),
6591 		},
6592 		.result = ACCEPT,
6593 	},
6594 	{
6595 		"ld_abs: tests on r6 and skb data reload helper",
6596 		.insns = {
6597 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6598 			BPF_LD_ABS(BPF_B, 0),
6599 			BPF_LD_ABS(BPF_H, 0),
6600 			BPF_LD_ABS(BPF_W, 0),
6601 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6602 			BPF_MOV64_IMM(BPF_REG_6, 0),
6603 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6604 			BPF_MOV64_IMM(BPF_REG_2, 1),
6605 			BPF_MOV64_IMM(BPF_REG_3, 2),
6606 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6607 				     BPF_FUNC_skb_vlan_push),
6608 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6609 			BPF_LD_ABS(BPF_B, 0),
6610 			BPF_LD_ABS(BPF_H, 0),
6611 			BPF_LD_ABS(BPF_W, 0),
6612 			BPF_MOV64_IMM(BPF_REG_0, 42),
6613 			BPF_EXIT_INSN(),
6614 		},
6615 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6616 		.result = ACCEPT,
6617 		.retval = 42 /* ultimate return value */,
6618 	},
6619 	{
6620 		"ld_ind: check calling conv, r1",
6621 		.insns = {
6622 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6623 			BPF_MOV64_IMM(BPF_REG_1, 1),
6624 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6625 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6626 			BPF_EXIT_INSN(),
6627 		},
6628 		.errstr = "R1 !read_ok",
6629 		.result = REJECT,
6630 	},
6631 	{
6632 		"ld_ind: check calling conv, r2",
6633 		.insns = {
6634 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6635 			BPF_MOV64_IMM(BPF_REG_2, 1),
6636 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6637 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6638 			BPF_EXIT_INSN(),
6639 		},
6640 		.errstr = "R2 !read_ok",
6641 		.result = REJECT,
6642 	},
6643 	{
6644 		"ld_ind: check calling conv, r3",
6645 		.insns = {
6646 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6647 			BPF_MOV64_IMM(BPF_REG_3, 1),
6648 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6649 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6650 			BPF_EXIT_INSN(),
6651 		},
6652 		.errstr = "R3 !read_ok",
6653 		.result = REJECT,
6654 	},
6655 	{
6656 		"ld_ind: check calling conv, r4",
6657 		.insns = {
6658 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6659 			BPF_MOV64_IMM(BPF_REG_4, 1),
6660 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6661 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6662 			BPF_EXIT_INSN(),
6663 		},
6664 		.errstr = "R4 !read_ok",
6665 		.result = REJECT,
6666 	},
6667 	{
6668 		"ld_ind: check calling conv, r5",
6669 		.insns = {
6670 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6671 			BPF_MOV64_IMM(BPF_REG_5, 1),
6672 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6673 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6674 			BPF_EXIT_INSN(),
6675 		},
6676 		.errstr = "R5 !read_ok",
6677 		.result = REJECT,
6678 	},
6679 	{
6680 		"ld_ind: check calling conv, r7",
6681 		.insns = {
6682 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6683 			BPF_MOV64_IMM(BPF_REG_7, 1),
6684 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6685 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6686 			BPF_EXIT_INSN(),
6687 		},
6688 		.result = ACCEPT,
6689 		.retval = 1,
6690 	},
6691 	{
6692 		"check bpf_perf_event_data->sample_period byte load permitted",
6693 		.insns = {
6694 			BPF_MOV64_IMM(BPF_REG_0, 0),
6695 #if __BYTE_ORDER == __LITTLE_ENDIAN
6696 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6697 				    offsetof(struct bpf_perf_event_data, sample_period)),
6698 #else
6699 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6700 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
6701 #endif
6702 			BPF_EXIT_INSN(),
6703 		},
6704 		.result = ACCEPT,
6705 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6706 	},
6707 	{
6708 		"check bpf_perf_event_data->sample_period half load permitted",
6709 		.insns = {
6710 			BPF_MOV64_IMM(BPF_REG_0, 0),
6711 #if __BYTE_ORDER == __LITTLE_ENDIAN
6712 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6713 				    offsetof(struct bpf_perf_event_data, sample_period)),
6714 #else
6715 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6716 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
6717 #endif
6718 			BPF_EXIT_INSN(),
6719 		},
6720 		.result = ACCEPT,
6721 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6722 	},
6723 	{
6724 		"check bpf_perf_event_data->sample_period word load permitted",
6725 		.insns = {
6726 			BPF_MOV64_IMM(BPF_REG_0, 0),
6727 #if __BYTE_ORDER == __LITTLE_ENDIAN
6728 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6729 				    offsetof(struct bpf_perf_event_data, sample_period)),
6730 #else
6731 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6732 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
6733 #endif
6734 			BPF_EXIT_INSN(),
6735 		},
6736 		.result = ACCEPT,
6737 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6738 	},
6739 	{
6740 		"check bpf_perf_event_data->sample_period dword load permitted",
6741 		.insns = {
6742 			BPF_MOV64_IMM(BPF_REG_0, 0),
6743 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6744 				    offsetof(struct bpf_perf_event_data, sample_period)),
6745 			BPF_EXIT_INSN(),
6746 		},
6747 		.result = ACCEPT,
6748 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6749 	},
6750 	{
6751 		"check skb->data half load not permitted",
6752 		.insns = {
6753 			BPF_MOV64_IMM(BPF_REG_0, 0),
6754 #if __BYTE_ORDER == __LITTLE_ENDIAN
6755 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6756 				    offsetof(struct __sk_buff, data)),
6757 #else
6758 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6759 				    offsetof(struct __sk_buff, data) + 2),
6760 #endif
6761 			BPF_EXIT_INSN(),
6762 		},
6763 		.result = REJECT,
6764 		.errstr = "invalid bpf_context access",
6765 	},
6766 	{
6767 		"check skb->tc_classid half load not permitted for lwt prog",
6768 		.insns = {
6769 			BPF_MOV64_IMM(BPF_REG_0, 0),
6770 #if __BYTE_ORDER == __LITTLE_ENDIAN
6771 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6772 				    offsetof(struct __sk_buff, tc_classid)),
6773 #else
6774 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6775 				    offsetof(struct __sk_buff, tc_classid) + 2),
6776 #endif
6777 			BPF_EXIT_INSN(),
6778 		},
6779 		.result = REJECT,
6780 		.errstr = "invalid bpf_context access",
6781 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6782 	},
6783 	{
6784 		"bounds checks mixing signed and unsigned, positive bounds",
6785 		.insns = {
6786 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6787 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6789 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6790 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6791 				     BPF_FUNC_map_lookup_elem),
6792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6793 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6794 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6795 			BPF_MOV64_IMM(BPF_REG_2, 2),
6796 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6797 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6798 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6799 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6800 			BPF_MOV64_IMM(BPF_REG_0, 0),
6801 			BPF_EXIT_INSN(),
6802 		},
6803 		.fixup_map1 = { 3 },
6804 		.errstr = "unbounded min value",
6805 		.result = REJECT,
6806 	},
6807 	{
6808 		"bounds checks mixing signed and unsigned",
6809 		.insns = {
6810 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6811 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6812 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6813 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6814 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6815 				     BPF_FUNC_map_lookup_elem),
6816 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6817 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6818 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6819 			BPF_MOV64_IMM(BPF_REG_2, -1),
6820 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6821 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6822 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6823 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6824 			BPF_MOV64_IMM(BPF_REG_0, 0),
6825 			BPF_EXIT_INSN(),
6826 		},
6827 		.fixup_map1 = { 3 },
6828 		.errstr = "unbounded min value",
6829 		.result = REJECT,
6830 	},
6831 	{
6832 		"bounds checks mixing signed and unsigned, variant 2",
6833 		.insns = {
6834 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6835 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6836 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6837 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6838 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6839 				     BPF_FUNC_map_lookup_elem),
6840 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6841 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6842 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6843 			BPF_MOV64_IMM(BPF_REG_2, -1),
6844 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6845 			BPF_MOV64_IMM(BPF_REG_8, 0),
6846 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6847 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6848 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6849 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6850 			BPF_MOV64_IMM(BPF_REG_0, 0),
6851 			BPF_EXIT_INSN(),
6852 		},
6853 		.fixup_map1 = { 3 },
6854 		.errstr = "unbounded min value",
6855 		.result = REJECT,
6856 	},
6857 	{
6858 		"bounds checks mixing signed and unsigned, variant 3",
6859 		.insns = {
6860 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6861 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6862 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6863 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6864 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6865 				     BPF_FUNC_map_lookup_elem),
6866 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6867 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6868 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6869 			BPF_MOV64_IMM(BPF_REG_2, -1),
6870 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6871 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6872 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6873 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6874 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6875 			BPF_MOV64_IMM(BPF_REG_0, 0),
6876 			BPF_EXIT_INSN(),
6877 		},
6878 		.fixup_map1 = { 3 },
6879 		.errstr = "unbounded min value",
6880 		.result = REJECT,
6881 	},
6882 	{
6883 		"bounds checks mixing signed and unsigned, variant 4",
6884 		.insns = {
6885 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6886 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6887 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6888 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6889 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6890 				     BPF_FUNC_map_lookup_elem),
6891 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6892 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6893 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6894 			BPF_MOV64_IMM(BPF_REG_2, 1),
6895 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6896 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6897 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6898 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6899 			BPF_MOV64_IMM(BPF_REG_0, 0),
6900 			BPF_EXIT_INSN(),
6901 		},
6902 		.fixup_map1 = { 3 },
6903 		.result = ACCEPT,
6904 	},
6905 	{
6906 		"bounds checks mixing signed and unsigned, variant 5",
6907 		.insns = {
6908 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6909 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6910 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6911 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6913 				     BPF_FUNC_map_lookup_elem),
6914 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6915 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6916 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6917 			BPF_MOV64_IMM(BPF_REG_2, -1),
6918 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6919 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6920 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6921 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6922 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6923 			BPF_MOV64_IMM(BPF_REG_0, 0),
6924 			BPF_EXIT_INSN(),
6925 		},
6926 		.fixup_map1 = { 3 },
6927 		.errstr = "unbounded min value",
6928 		.result = REJECT,
6929 	},
6930 	{
6931 		"bounds checks mixing signed and unsigned, variant 6",
6932 		.insns = {
6933 			BPF_MOV64_IMM(BPF_REG_2, 0),
6934 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6935 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6936 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6937 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6938 			BPF_MOV64_IMM(BPF_REG_6, -1),
6939 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6940 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6942 			BPF_MOV64_IMM(BPF_REG_5, 0),
6943 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6944 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6945 				     BPF_FUNC_skb_load_bytes),
6946 			BPF_MOV64_IMM(BPF_REG_0, 0),
6947 			BPF_EXIT_INSN(),
6948 		},
6949 		.errstr = "R4 min value is negative, either use unsigned",
6950 		.result = REJECT,
6951 	},
6952 	{
6953 		"bounds checks mixing signed and unsigned, variant 7",
6954 		.insns = {
6955 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6956 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6957 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6958 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6959 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6960 				     BPF_FUNC_map_lookup_elem),
6961 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6962 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6963 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6964 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6965 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6966 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6967 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6968 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6969 			BPF_MOV64_IMM(BPF_REG_0, 0),
6970 			BPF_EXIT_INSN(),
6971 		},
6972 		.fixup_map1 = { 3 },
6973 		.result = ACCEPT,
6974 	},
6975 	{
6976 		"bounds checks mixing signed and unsigned, variant 8",
6977 		.insns = {
6978 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6979 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6980 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6981 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6982 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6983 				     BPF_FUNC_map_lookup_elem),
6984 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6985 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6986 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6987 			BPF_MOV64_IMM(BPF_REG_2, -1),
6988 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6989 			BPF_MOV64_IMM(BPF_REG_0, 0),
6990 			BPF_EXIT_INSN(),
6991 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6992 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6993 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6994 			BPF_MOV64_IMM(BPF_REG_0, 0),
6995 			BPF_EXIT_INSN(),
6996 		},
6997 		.fixup_map1 = { 3 },
6998 		.errstr = "unbounded min value",
6999 		.result = REJECT,
7000 	},
7001 	{
7002 		"bounds checks mixing signed and unsigned, variant 9",
7003 		.insns = {
7004 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7005 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7008 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7009 				     BPF_FUNC_map_lookup_elem),
7010 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7011 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7012 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7013 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7014 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7015 			BPF_MOV64_IMM(BPF_REG_0, 0),
7016 			BPF_EXIT_INSN(),
7017 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7018 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7019 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7020 			BPF_MOV64_IMM(BPF_REG_0, 0),
7021 			BPF_EXIT_INSN(),
7022 		},
7023 		.fixup_map1 = { 3 },
7024 		.result = ACCEPT,
7025 	},
7026 	{
7027 		"bounds checks mixing signed and unsigned, variant 10",
7028 		.insns = {
7029 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7030 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7032 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7033 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7034 				     BPF_FUNC_map_lookup_elem),
7035 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7036 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7037 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7038 			BPF_MOV64_IMM(BPF_REG_2, 0),
7039 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7040 			BPF_MOV64_IMM(BPF_REG_0, 0),
7041 			BPF_EXIT_INSN(),
7042 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7043 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7044 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7045 			BPF_MOV64_IMM(BPF_REG_0, 0),
7046 			BPF_EXIT_INSN(),
7047 		},
7048 		.fixup_map1 = { 3 },
7049 		.errstr = "unbounded min value",
7050 		.result = REJECT,
7051 	},
7052 	{
7053 		"bounds checks mixing signed and unsigned, variant 11",
7054 		.insns = {
7055 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7056 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7058 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7059 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7060 				     BPF_FUNC_map_lookup_elem),
7061 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7062 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7063 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7064 			BPF_MOV64_IMM(BPF_REG_2, -1),
7065 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7066 			/* Dead branch. */
7067 			BPF_MOV64_IMM(BPF_REG_0, 0),
7068 			BPF_EXIT_INSN(),
7069 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7070 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7071 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7072 			BPF_MOV64_IMM(BPF_REG_0, 0),
7073 			BPF_EXIT_INSN(),
7074 		},
7075 		.fixup_map1 = { 3 },
7076 		.errstr = "unbounded min value",
7077 		.result = REJECT,
7078 	},
7079 	{
7080 		"bounds checks mixing signed and unsigned, variant 12",
7081 		.insns = {
7082 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7083 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7085 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7087 				     BPF_FUNC_map_lookup_elem),
7088 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7089 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7090 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7091 			BPF_MOV64_IMM(BPF_REG_2, -6),
7092 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7093 			BPF_MOV64_IMM(BPF_REG_0, 0),
7094 			BPF_EXIT_INSN(),
7095 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7096 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7097 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7098 			BPF_MOV64_IMM(BPF_REG_0, 0),
7099 			BPF_EXIT_INSN(),
7100 		},
7101 		.fixup_map1 = { 3 },
7102 		.errstr = "unbounded min value",
7103 		.result = REJECT,
7104 	},
7105 	{
7106 		"bounds checks mixing signed and unsigned, variant 13",
7107 		.insns = {
7108 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7109 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7110 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7111 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7112 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7113 				     BPF_FUNC_map_lookup_elem),
7114 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7115 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7116 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7117 			BPF_MOV64_IMM(BPF_REG_2, 2),
7118 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7119 			BPF_MOV64_IMM(BPF_REG_7, 1),
7120 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7121 			BPF_MOV64_IMM(BPF_REG_0, 0),
7122 			BPF_EXIT_INSN(),
7123 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7124 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7125 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7126 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7127 			BPF_MOV64_IMM(BPF_REG_0, 0),
7128 			BPF_EXIT_INSN(),
7129 		},
7130 		.fixup_map1 = { 3 },
7131 		.errstr = "unbounded min value",
7132 		.result = REJECT,
7133 	},
7134 	{
7135 		"bounds checks mixing signed and unsigned, variant 14",
7136 		.insns = {
7137 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7138 				    offsetof(struct __sk_buff, mark)),
7139 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7140 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7141 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7142 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7143 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7144 				     BPF_FUNC_map_lookup_elem),
7145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7146 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7147 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7148 			BPF_MOV64_IMM(BPF_REG_2, -1),
7149 			BPF_MOV64_IMM(BPF_REG_8, 2),
7150 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7151 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7152 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7153 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7154 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7155 			BPF_MOV64_IMM(BPF_REG_0, 0),
7156 			BPF_EXIT_INSN(),
7157 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7158 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7159 		},
7160 		.fixup_map1 = { 4 },
7161 		.errstr = "R0 invalid mem access 'inv'",
7162 		.result = REJECT,
7163 	},
7164 	{
7165 		"bounds checks mixing signed and unsigned, variant 15",
7166 		.insns = {
7167 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7168 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7169 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7170 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7171 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7172 				     BPF_FUNC_map_lookup_elem),
7173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7174 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7175 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7176 			BPF_MOV64_IMM(BPF_REG_2, -6),
7177 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7178 			BPF_MOV64_IMM(BPF_REG_0, 0),
7179 			BPF_EXIT_INSN(),
7180 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7181 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7182 			BPF_MOV64_IMM(BPF_REG_0, 0),
7183 			BPF_EXIT_INSN(),
7184 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7185 			BPF_MOV64_IMM(BPF_REG_0, 0),
7186 			BPF_EXIT_INSN(),
7187 		},
7188 		.fixup_map1 = { 3 },
7189 		.errstr = "unbounded min value",
7190 		.result = REJECT,
7191 		.result_unpriv = REJECT,
7192 	},
7193 	{
7194 		"subtraction bounds (map value) variant 1",
7195 		.insns = {
7196 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7197 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7198 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7199 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7200 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7201 				     BPF_FUNC_map_lookup_elem),
7202 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7203 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7204 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7205 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7206 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7207 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7208 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7209 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7210 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7211 			BPF_EXIT_INSN(),
7212 			BPF_MOV64_IMM(BPF_REG_0, 0),
7213 			BPF_EXIT_INSN(),
7214 		},
7215 		.fixup_map1 = { 3 },
7216 		.errstr = "R0 max value is outside of the array range",
7217 		.result = REJECT,
7218 	},
7219 	{
7220 		"subtraction bounds (map value) variant 2",
7221 		.insns = {
7222 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7223 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7224 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7225 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7226 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7227 				     BPF_FUNC_map_lookup_elem),
7228 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7229 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7230 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7231 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7232 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7233 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7234 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7235 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7236 			BPF_EXIT_INSN(),
7237 			BPF_MOV64_IMM(BPF_REG_0, 0),
7238 			BPF_EXIT_INSN(),
7239 		},
7240 		.fixup_map1 = { 3 },
7241 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7242 		.result = REJECT,
7243 	},
7244 	{
7245 		"bounds check based on zero-extended MOV",
7246 		.insns = {
7247 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7248 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7250 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7251 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7252 				     BPF_FUNC_map_lookup_elem),
7253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7254 			/* r2 = 0x0000'0000'ffff'ffff */
7255 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7256 			/* r2 = 0 */
7257 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7258 			/* no-op */
7259 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7260 			/* access at offset 0 */
7261 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7262 			/* exit */
7263 			BPF_MOV64_IMM(BPF_REG_0, 0),
7264 			BPF_EXIT_INSN(),
7265 		},
7266 		.fixup_map1 = { 3 },
7267 		.result = ACCEPT
7268 	},
7269 	{
7270 		"bounds check based on sign-extended MOV. test1",
7271 		.insns = {
7272 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7273 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7274 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7275 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7277 				     BPF_FUNC_map_lookup_elem),
7278 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7279 			/* r2 = 0xffff'ffff'ffff'ffff */
7280 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7281 			/* r2 = 0xffff'ffff */
7282 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7283 			/* r0 = <oob pointer> */
7284 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7285 			/* access to OOB pointer */
7286 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7287 			/* exit */
7288 			BPF_MOV64_IMM(BPF_REG_0, 0),
7289 			BPF_EXIT_INSN(),
7290 		},
7291 		.fixup_map1 = { 3 },
7292 		.errstr = "map_value pointer and 4294967295",
7293 		.result = REJECT
7294 	},
7295 	{
7296 		"bounds check based on sign-extended MOV. test2",
7297 		.insns = {
7298 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7299 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7300 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7301 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7302 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7303 				     BPF_FUNC_map_lookup_elem),
7304 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7305 			/* r2 = 0xffff'ffff'ffff'ffff */
7306 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7307 			/* r2 = 0xfff'ffff */
7308 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7309 			/* r0 = <oob pointer> */
7310 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7311 			/* access to OOB pointer */
7312 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7313 			/* exit */
7314 			BPF_MOV64_IMM(BPF_REG_0, 0),
7315 			BPF_EXIT_INSN(),
7316 		},
7317 		.fixup_map1 = { 3 },
7318 		.errstr = "R0 min value is outside of the array range",
7319 		.result = REJECT
7320 	},
7321 	{
7322 		"bounds check based on reg_off + var_off + insn_off. test1",
7323 		.insns = {
7324 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7325 				    offsetof(struct __sk_buff, mark)),
7326 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7327 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7328 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7329 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7330 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7331 				     BPF_FUNC_map_lookup_elem),
7332 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7333 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7335 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7337 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7338 			BPF_MOV64_IMM(BPF_REG_0, 0),
7339 			BPF_EXIT_INSN(),
7340 		},
7341 		.fixup_map1 = { 4 },
7342 		.errstr = "value_size=8 off=1073741825",
7343 		.result = REJECT,
7344 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7345 	},
7346 	{
7347 		"bounds check based on reg_off + var_off + insn_off. test2",
7348 		.insns = {
7349 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7350 				    offsetof(struct __sk_buff, mark)),
7351 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7352 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7354 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7355 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7356 				     BPF_FUNC_map_lookup_elem),
7357 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7358 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7360 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7361 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7362 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7363 			BPF_MOV64_IMM(BPF_REG_0, 0),
7364 			BPF_EXIT_INSN(),
7365 		},
7366 		.fixup_map1 = { 4 },
7367 		.errstr = "value 1073741823",
7368 		.result = REJECT,
7369 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7370 	},
7371 	{
7372 		"bounds check after truncation of non-boundary-crossing range",
7373 		.insns = {
7374 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7375 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7377 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7378 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7379 				     BPF_FUNC_map_lookup_elem),
7380 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7381 			/* r1 = [0x00, 0xff] */
7382 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7383 			BPF_MOV64_IMM(BPF_REG_2, 1),
7384 			/* r2 = 0x10'0000'0000 */
7385 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7386 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7387 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7388 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7389 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7390 			/* r1 = [0x00, 0xff] */
7391 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7392 			/* r1 = 0 */
7393 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7394 			/* no-op */
7395 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7396 			/* access at offset 0 */
7397 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7398 			/* exit */
7399 			BPF_MOV64_IMM(BPF_REG_0, 0),
7400 			BPF_EXIT_INSN(),
7401 		},
7402 		.fixup_map1 = { 3 },
7403 		.result = ACCEPT
7404 	},
7405 	{
7406 		"bounds check after truncation of boundary-crossing range (1)",
7407 		.insns = {
7408 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7409 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7410 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7411 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7413 				     BPF_FUNC_map_lookup_elem),
7414 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7415 			/* r1 = [0x00, 0xff] */
7416 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7417 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7418 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7420 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7421 			 *      [0x0000'0000, 0x0000'007f]
7422 			 */
7423 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7424 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7425 			/* r1 = [0x00, 0xff] or
7426 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7427 			 */
7428 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7429 			/* r1 = 0 or
7430 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7431 			 */
7432 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7433 			/* no-op or OOB pointer computation */
7434 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7435 			/* potentially OOB access */
7436 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7437 			/* exit */
7438 			BPF_MOV64_IMM(BPF_REG_0, 0),
7439 			BPF_EXIT_INSN(),
7440 		},
7441 		.fixup_map1 = { 3 },
7442 		/* not actually fully unbounded, but the bound is very high */
7443 		.errstr = "R0 unbounded memory access",
7444 		.result = REJECT
7445 	},
7446 	{
7447 		"bounds check after truncation of boundary-crossing range (2)",
7448 		.insns = {
7449 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7450 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7452 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7453 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7454 				     BPF_FUNC_map_lookup_elem),
7455 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7456 			/* r1 = [0x00, 0xff] */
7457 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7459 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7460 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7461 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7462 			 *      [0x0000'0000, 0x0000'007f]
7463 			 * difference to previous test: truncation via MOV32
7464 			 * instead of ALU32.
7465 			 */
7466 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7467 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7468 			/* r1 = [0x00, 0xff] or
7469 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7470 			 */
7471 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7472 			/* r1 = 0 or
7473 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7474 			 */
7475 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7476 			/* no-op or OOB pointer computation */
7477 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7478 			/* potentially OOB access */
7479 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7480 			/* exit */
7481 			BPF_MOV64_IMM(BPF_REG_0, 0),
7482 			BPF_EXIT_INSN(),
7483 		},
7484 		.fixup_map1 = { 3 },
7485 		/* not actually fully unbounded, but the bound is very high */
7486 		.errstr = "R0 unbounded memory access",
7487 		.result = REJECT
7488 	},
7489 	{
7490 		"bounds check after wrapping 32-bit addition",
7491 		.insns = {
7492 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7493 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7495 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7496 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7497 				     BPF_FUNC_map_lookup_elem),
7498 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7499 			/* r1 = 0x7fff'ffff */
7500 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7501 			/* r1 = 0xffff'fffe */
7502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7503 			/* r1 = 0 */
7504 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7505 			/* no-op */
7506 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7507 			/* access at offset 0 */
7508 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7509 			/* exit */
7510 			BPF_MOV64_IMM(BPF_REG_0, 0),
7511 			BPF_EXIT_INSN(),
7512 		},
7513 		.fixup_map1 = { 3 },
7514 		.result = ACCEPT
7515 	},
7516 	{
7517 		"bounds check after shift with oversized count operand",
7518 		.insns = {
7519 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7520 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7522 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7523 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7524 				     BPF_FUNC_map_lookup_elem),
7525 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7526 			BPF_MOV64_IMM(BPF_REG_2, 32),
7527 			BPF_MOV64_IMM(BPF_REG_1, 1),
7528 			/* r1 = (u32)1 << (u32)32 = ? */
7529 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7530 			/* r1 = [0x0000, 0xffff] */
7531 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7532 			/* computes unknown pointer, potentially OOB */
7533 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7534 			/* potentially OOB access */
7535 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7536 			/* exit */
7537 			BPF_MOV64_IMM(BPF_REG_0, 0),
7538 			BPF_EXIT_INSN(),
7539 		},
7540 		.fixup_map1 = { 3 },
7541 		.errstr = "R0 max value is outside of the array range",
7542 		.result = REJECT
7543 	},
7544 	{
7545 		"bounds check after right shift of maybe-negative number",
7546 		.insns = {
7547 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7548 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7549 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7550 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7551 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7552 				     BPF_FUNC_map_lookup_elem),
7553 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7554 			/* r1 = [0x00, 0xff] */
7555 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7556 			/* r1 = [-0x01, 0xfe] */
7557 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7558 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
7559 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7560 			/* r1 = 0 or 0xffff'ffff'ffff */
7561 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7562 			/* computes unknown pointer, potentially OOB */
7563 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7564 			/* potentially OOB access */
7565 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7566 			/* exit */
7567 			BPF_MOV64_IMM(BPF_REG_0, 0),
7568 			BPF_EXIT_INSN(),
7569 		},
7570 		.fixup_map1 = { 3 },
7571 		.errstr = "R0 unbounded memory access",
7572 		.result = REJECT
7573 	},
7574 	{
7575 		"bounds check map access with off+size signed 32bit overflow. test1",
7576 		.insns = {
7577 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7578 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7579 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7580 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7581 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7582 				     BPF_FUNC_map_lookup_elem),
7583 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7584 			BPF_EXIT_INSN(),
7585 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7586 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7587 			BPF_JMP_A(0),
7588 			BPF_EXIT_INSN(),
7589 		},
7590 		.fixup_map1 = { 3 },
7591 		.errstr = "map_value pointer and 2147483646",
7592 		.result = REJECT
7593 	},
7594 	{
7595 		"bounds check map access with off+size signed 32bit overflow. test2",
7596 		.insns = {
7597 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7598 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7600 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7602 				     BPF_FUNC_map_lookup_elem),
7603 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7604 			BPF_EXIT_INSN(),
7605 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7606 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7607 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7608 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7609 			BPF_JMP_A(0),
7610 			BPF_EXIT_INSN(),
7611 		},
7612 		.fixup_map1 = { 3 },
7613 		.errstr = "pointer offset 1073741822",
7614 		.result = REJECT
7615 	},
7616 	{
7617 		"bounds check map access with off+size signed 32bit overflow. test3",
7618 		.insns = {
7619 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7620 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7622 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7624 				     BPF_FUNC_map_lookup_elem),
7625 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7626 			BPF_EXIT_INSN(),
7627 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7628 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7629 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7630 			BPF_JMP_A(0),
7631 			BPF_EXIT_INSN(),
7632 		},
7633 		.fixup_map1 = { 3 },
7634 		.errstr = "pointer offset -1073741822",
7635 		.result = REJECT
7636 	},
7637 	{
7638 		"bounds check map access with off+size signed 32bit overflow. test4",
7639 		.insns = {
7640 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7641 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7642 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7643 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7644 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7645 				     BPF_FUNC_map_lookup_elem),
7646 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7647 			BPF_EXIT_INSN(),
7648 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
7649 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7650 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7651 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7652 			BPF_JMP_A(0),
7653 			BPF_EXIT_INSN(),
7654 		},
7655 		.fixup_map1 = { 3 },
7656 		.errstr = "map_value pointer and 1000000000000",
7657 		.result = REJECT
7658 	},
7659 	{
7660 		"pointer/scalar confusion in state equality check (way 1)",
7661 		.insns = {
7662 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7665 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7667 				     BPF_FUNC_map_lookup_elem),
7668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7669 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7670 			BPF_JMP_A(1),
7671 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7672 			BPF_JMP_A(0),
7673 			BPF_EXIT_INSN(),
7674 		},
7675 		.fixup_map1 = { 3 },
7676 		.result = ACCEPT,
7677 		.retval = POINTER_VALUE,
7678 		.result_unpriv = REJECT,
7679 		.errstr_unpriv = "R0 leaks addr as return value"
7680 	},
7681 	{
7682 		"pointer/scalar confusion in state equality check (way 2)",
7683 		.insns = {
7684 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7685 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7687 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7688 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7689 				     BPF_FUNC_map_lookup_elem),
7690 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7691 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7692 			BPF_JMP_A(1),
7693 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7694 			BPF_EXIT_INSN(),
7695 		},
7696 		.fixup_map1 = { 3 },
7697 		.result = ACCEPT,
7698 		.retval = POINTER_VALUE,
7699 		.result_unpriv = REJECT,
7700 		.errstr_unpriv = "R0 leaks addr as return value"
7701 	},
7702 	{
7703 		"variable-offset ctx access",
7704 		.insns = {
7705 			/* Get an unknown value */
7706 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7707 			/* Make it small and 4-byte aligned */
7708 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7709 			/* add it to skb.  We now have either &skb->len or
7710 			 * &skb->pkt_type, but we don't know which
7711 			 */
7712 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7713 			/* dereference it */
7714 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7715 			BPF_EXIT_INSN(),
7716 		},
7717 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
7718 		.result = REJECT,
7719 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7720 	},
7721 	{
7722 		"variable-offset stack access",
7723 		.insns = {
7724 			/* Fill the top 8 bytes of the stack */
7725 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7726 			/* Get an unknown value */
7727 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7728 			/* Make it small and 4-byte aligned */
7729 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7730 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7731 			/* add it to fp.  We now have either fp-4 or fp-8, but
7732 			 * we don't know which
7733 			 */
7734 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7735 			/* dereference it */
7736 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7737 			BPF_EXIT_INSN(),
7738 		},
7739 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7740 		.result = REJECT,
7741 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7742 	},
7743 	{
7744 		"indirect variable-offset stack access",
7745 		.insns = {
7746 			/* Fill the top 8 bytes of the stack */
7747 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7748 			/* Get an unknown value */
7749 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7750 			/* Make it small and 4-byte aligned */
7751 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7752 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7753 			/* add it to fp.  We now have either fp-4 or fp-8, but
7754 			 * we don't know which
7755 			 */
7756 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7757 			/* dereference it indirectly */
7758 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7759 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7760 				     BPF_FUNC_map_lookup_elem),
7761 			BPF_MOV64_IMM(BPF_REG_0, 0),
7762 			BPF_EXIT_INSN(),
7763 		},
7764 		.fixup_map1 = { 5 },
7765 		.errstr = "variable stack read R2",
7766 		.result = REJECT,
7767 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7768 	},
7769 	{
7770 		"direct stack access with 32-bit wraparound. test1",
7771 		.insns = {
7772 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7773 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7775 			BPF_MOV32_IMM(BPF_REG_0, 0),
7776 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7777 			BPF_EXIT_INSN()
7778 		},
7779 		.errstr = "fp pointer and 2147483647",
7780 		.result = REJECT
7781 	},
7782 	{
7783 		"direct stack access with 32-bit wraparound. test2",
7784 		.insns = {
7785 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7786 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7787 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7788 			BPF_MOV32_IMM(BPF_REG_0, 0),
7789 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7790 			BPF_EXIT_INSN()
7791 		},
7792 		.errstr = "fp pointer and 1073741823",
7793 		.result = REJECT
7794 	},
7795 	{
7796 		"direct stack access with 32-bit wraparound. test3",
7797 		.insns = {
7798 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7800 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7801 			BPF_MOV32_IMM(BPF_REG_0, 0),
7802 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7803 			BPF_EXIT_INSN()
7804 		},
7805 		.errstr = "fp pointer offset 1073741822",
7806 		.result = REJECT
7807 	},
7808 	{
7809 		"liveness pruning and write screening",
7810 		.insns = {
7811 			/* Get an unknown value */
7812 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7813 			/* branch conditions teach us nothing about R2 */
7814 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7815 			BPF_MOV64_IMM(BPF_REG_0, 0),
7816 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7817 			BPF_MOV64_IMM(BPF_REG_0, 0),
7818 			BPF_EXIT_INSN(),
7819 		},
7820 		.errstr = "R0 !read_ok",
7821 		.result = REJECT,
7822 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7823 	},
7824 	{
7825 		"varlen_map_value_access pruning",
7826 		.insns = {
7827 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7828 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7829 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7830 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7831 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7832 				     BPF_FUNC_map_lookup_elem),
7833 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7834 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7835 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7836 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7837 			BPF_MOV32_IMM(BPF_REG_1, 0),
7838 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7839 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7840 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7841 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7842 				   offsetof(struct test_val, foo)),
7843 			BPF_EXIT_INSN(),
7844 		},
7845 		.fixup_map2 = { 3 },
7846 		.errstr_unpriv = "R0 leaks addr",
7847 		.errstr = "R0 unbounded memory access",
7848 		.result_unpriv = REJECT,
7849 		.result = REJECT,
7850 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7851 	},
7852 	{
7853 		"invalid 64-bit BPF_END",
7854 		.insns = {
7855 			BPF_MOV32_IMM(BPF_REG_0, 0),
7856 			{
7857 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
7858 				.dst_reg = BPF_REG_0,
7859 				.src_reg = 0,
7860 				.off   = 0,
7861 				.imm   = 32,
7862 			},
7863 			BPF_EXIT_INSN(),
7864 		},
7865 		.errstr = "unknown opcode d7",
7866 		.result = REJECT,
7867 	},
7868 	{
7869 		"XDP, using ifindex from netdev",
7870 		.insns = {
7871 			BPF_MOV64_IMM(BPF_REG_0, 0),
7872 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7873 				    offsetof(struct xdp_md, ingress_ifindex)),
7874 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
7875 			BPF_MOV64_IMM(BPF_REG_0, 1),
7876 			BPF_EXIT_INSN(),
7877 		},
7878 		.result = ACCEPT,
7879 		.prog_type = BPF_PROG_TYPE_XDP,
7880 		.retval = 1,
7881 	},
7882 	{
7883 		"meta access, test1",
7884 		.insns = {
7885 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7886 				    offsetof(struct xdp_md, data_meta)),
7887 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7888 				    offsetof(struct xdp_md, data)),
7889 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7891 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7892 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7893 			BPF_MOV64_IMM(BPF_REG_0, 0),
7894 			BPF_EXIT_INSN(),
7895 		},
7896 		.result = ACCEPT,
7897 		.prog_type = BPF_PROG_TYPE_XDP,
7898 	},
7899 	{
7900 		"meta access, test2",
7901 		.insns = {
7902 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7903 				    offsetof(struct xdp_md, data_meta)),
7904 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7905 				    offsetof(struct xdp_md, data)),
7906 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7907 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7908 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7909 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7910 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7911 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7912 			BPF_MOV64_IMM(BPF_REG_0, 0),
7913 			BPF_EXIT_INSN(),
7914 		},
7915 		.result = REJECT,
7916 		.errstr = "invalid access to packet, off=-8",
7917 		.prog_type = BPF_PROG_TYPE_XDP,
7918 	},
7919 	{
7920 		"meta access, test3",
7921 		.insns = {
7922 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7923 				    offsetof(struct xdp_md, data_meta)),
7924 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7925 				    offsetof(struct xdp_md, data_end)),
7926 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7928 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7929 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7930 			BPF_MOV64_IMM(BPF_REG_0, 0),
7931 			BPF_EXIT_INSN(),
7932 		},
7933 		.result = REJECT,
7934 		.errstr = "invalid access to packet",
7935 		.prog_type = BPF_PROG_TYPE_XDP,
7936 	},
7937 	{
7938 		"meta access, test4",
7939 		.insns = {
7940 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7941 				    offsetof(struct xdp_md, data_meta)),
7942 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7943 				    offsetof(struct xdp_md, data_end)),
7944 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7945 				    offsetof(struct xdp_md, data)),
7946 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7948 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7950 			BPF_MOV64_IMM(BPF_REG_0, 0),
7951 			BPF_EXIT_INSN(),
7952 		},
7953 		.result = REJECT,
7954 		.errstr = "invalid access to packet",
7955 		.prog_type = BPF_PROG_TYPE_XDP,
7956 	},
7957 	{
7958 		"meta access, test5",
7959 		.insns = {
7960 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7961 				    offsetof(struct xdp_md, data_meta)),
7962 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7963 				    offsetof(struct xdp_md, data)),
7964 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7965 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7966 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
7967 			BPF_MOV64_IMM(BPF_REG_2, -8),
7968 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7969 				     BPF_FUNC_xdp_adjust_meta),
7970 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7971 			BPF_MOV64_IMM(BPF_REG_0, 0),
7972 			BPF_EXIT_INSN(),
7973 		},
7974 		.result = REJECT,
7975 		.errstr = "R3 !read_ok",
7976 		.prog_type = BPF_PROG_TYPE_XDP,
7977 	},
7978 	{
7979 		"meta access, test6",
7980 		.insns = {
7981 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7982 				    offsetof(struct xdp_md, data_meta)),
7983 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7984 				    offsetof(struct xdp_md, data)),
7985 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7986 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7987 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7988 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7989 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
7990 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7991 			BPF_MOV64_IMM(BPF_REG_0, 0),
7992 			BPF_EXIT_INSN(),
7993 		},
7994 		.result = REJECT,
7995 		.errstr = "invalid access to packet",
7996 		.prog_type = BPF_PROG_TYPE_XDP,
7997 	},
7998 	{
7999 		"meta access, test7",
8000 		.insns = {
8001 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8002 				    offsetof(struct xdp_md, data_meta)),
8003 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8004 				    offsetof(struct xdp_md, data)),
8005 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8007 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8008 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8009 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8010 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8011 			BPF_MOV64_IMM(BPF_REG_0, 0),
8012 			BPF_EXIT_INSN(),
8013 		},
8014 		.result = ACCEPT,
8015 		.prog_type = BPF_PROG_TYPE_XDP,
8016 	},
8017 	{
8018 		"meta access, test8",
8019 		.insns = {
8020 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8021 				    offsetof(struct xdp_md, data_meta)),
8022 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8023 				    offsetof(struct xdp_md, data)),
8024 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8025 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8026 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8027 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8028 			BPF_MOV64_IMM(BPF_REG_0, 0),
8029 			BPF_EXIT_INSN(),
8030 		},
8031 		.result = ACCEPT,
8032 		.prog_type = BPF_PROG_TYPE_XDP,
8033 	},
8034 	{
8035 		"meta access, test9",
8036 		.insns = {
8037 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8038 				    offsetof(struct xdp_md, data_meta)),
8039 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8040 				    offsetof(struct xdp_md, data)),
8041 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8042 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8043 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8044 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8045 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8046 			BPF_MOV64_IMM(BPF_REG_0, 0),
8047 			BPF_EXIT_INSN(),
8048 		},
8049 		.result = REJECT,
8050 		.errstr = "invalid access to packet",
8051 		.prog_type = BPF_PROG_TYPE_XDP,
8052 	},
8053 	{
8054 		"meta access, test10",
8055 		.insns = {
8056 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8057 				    offsetof(struct xdp_md, data_meta)),
8058 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8059 				    offsetof(struct xdp_md, data)),
8060 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8061 				    offsetof(struct xdp_md, data_end)),
8062 			BPF_MOV64_IMM(BPF_REG_5, 42),
8063 			BPF_MOV64_IMM(BPF_REG_6, 24),
8064 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8065 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8066 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8067 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8068 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8069 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8070 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8071 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8072 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8073 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8074 			BPF_MOV64_IMM(BPF_REG_0, 0),
8075 			BPF_EXIT_INSN(),
8076 		},
8077 		.result = REJECT,
8078 		.errstr = "invalid access to packet",
8079 		.prog_type = BPF_PROG_TYPE_XDP,
8080 	},
8081 	{
8082 		"meta access, test11",
8083 		.insns = {
8084 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8085 				    offsetof(struct xdp_md, data_meta)),
8086 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8087 				    offsetof(struct xdp_md, data)),
8088 			BPF_MOV64_IMM(BPF_REG_5, 42),
8089 			BPF_MOV64_IMM(BPF_REG_6, 24),
8090 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8091 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8092 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8093 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8094 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8095 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8096 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8097 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8098 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8099 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8100 			BPF_MOV64_IMM(BPF_REG_0, 0),
8101 			BPF_EXIT_INSN(),
8102 		},
8103 		.result = ACCEPT,
8104 		.prog_type = BPF_PROG_TYPE_XDP,
8105 	},
8106 	{
8107 		"meta access, test12",
8108 		.insns = {
8109 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8110 				    offsetof(struct xdp_md, data_meta)),
8111 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8112 				    offsetof(struct xdp_md, data)),
8113 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8114 				    offsetof(struct xdp_md, data_end)),
8115 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8117 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8118 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8119 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8121 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8122 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8123 			BPF_MOV64_IMM(BPF_REG_0, 0),
8124 			BPF_EXIT_INSN(),
8125 		},
8126 		.result = ACCEPT,
8127 		.prog_type = BPF_PROG_TYPE_XDP,
8128 	},
8129 	{
8130 		"arithmetic ops make PTR_TO_CTX unusable",
8131 		.insns = {
8132 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8133 				      offsetof(struct __sk_buff, data) -
8134 				      offsetof(struct __sk_buff, mark)),
8135 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8136 				    offsetof(struct __sk_buff, mark)),
8137 			BPF_EXIT_INSN(),
8138 		},
8139 		.errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8140 		.result = REJECT,
8141 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8142 	},
8143 	{
8144 		"pkt_end - pkt_start is allowed",
8145 		.insns = {
8146 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8147 				    offsetof(struct __sk_buff, data_end)),
8148 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8149 				    offsetof(struct __sk_buff, data)),
8150 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8151 			BPF_EXIT_INSN(),
8152 		},
8153 		.result = ACCEPT,
8154 		.retval = TEST_DATA_LEN,
8155 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8156 	},
8157 	{
8158 		"XDP pkt read, pkt_end mangling, bad access 1",
8159 		.insns = {
8160 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8161 				    offsetof(struct xdp_md, data)),
8162 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8163 				    offsetof(struct xdp_md, data_end)),
8164 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8165 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8166 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8167 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8168 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8169 			BPF_MOV64_IMM(BPF_REG_0, 0),
8170 			BPF_EXIT_INSN(),
8171 		},
8172 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8173 		.result = REJECT,
8174 		.prog_type = BPF_PROG_TYPE_XDP,
8175 	},
8176 	{
8177 		"XDP pkt read, pkt_end mangling, bad access 2",
8178 		.insns = {
8179 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8180 				    offsetof(struct xdp_md, data)),
8181 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8182 				    offsetof(struct xdp_md, data_end)),
8183 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8184 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8185 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8186 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8187 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8188 			BPF_MOV64_IMM(BPF_REG_0, 0),
8189 			BPF_EXIT_INSN(),
8190 		},
8191 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8192 		.result = REJECT,
8193 		.prog_type = BPF_PROG_TYPE_XDP,
8194 	},
8195 	{
8196 		"XDP pkt read, pkt_data' > pkt_end, good access",
8197 		.insns = {
8198 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8199 				    offsetof(struct xdp_md, data)),
8200 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8201 				    offsetof(struct xdp_md, data_end)),
8202 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8203 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8204 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8205 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8206 			BPF_MOV64_IMM(BPF_REG_0, 0),
8207 			BPF_EXIT_INSN(),
8208 		},
8209 		.result = ACCEPT,
8210 		.prog_type = BPF_PROG_TYPE_XDP,
8211 	},
8212 	{
8213 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
8214 		.insns = {
8215 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8216 				    offsetof(struct xdp_md, data)),
8217 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8218 				    offsetof(struct xdp_md, data_end)),
8219 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8221 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8222 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8223 			BPF_MOV64_IMM(BPF_REG_0, 0),
8224 			BPF_EXIT_INSN(),
8225 		},
8226 		.errstr = "R1 offset is outside of the packet",
8227 		.result = REJECT,
8228 		.prog_type = BPF_PROG_TYPE_XDP,
8229 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8230 	},
8231 	{
8232 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
8233 		.insns = {
8234 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8235 				    offsetof(struct xdp_md, data)),
8236 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8237 				    offsetof(struct xdp_md, data_end)),
8238 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8239 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8240 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8241 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8242 			BPF_MOV64_IMM(BPF_REG_0, 0),
8243 			BPF_EXIT_INSN(),
8244 		},
8245 		.errstr = "R1 offset is outside of the packet",
8246 		.result = REJECT,
8247 		.prog_type = BPF_PROG_TYPE_XDP,
8248 	},
8249 	{
8250 		"XDP pkt read, pkt_end > pkt_data', good access",
8251 		.insns = {
8252 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8253 				    offsetof(struct xdp_md, data)),
8254 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8255 				    offsetof(struct xdp_md, data_end)),
8256 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8257 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8258 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8259 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8260 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8261 			BPF_MOV64_IMM(BPF_REG_0, 0),
8262 			BPF_EXIT_INSN(),
8263 		},
8264 		.result = ACCEPT,
8265 		.prog_type = BPF_PROG_TYPE_XDP,
8266 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8267 	},
8268 	{
8269 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
8270 		.insns = {
8271 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8272 				    offsetof(struct xdp_md, data)),
8273 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8274 				    offsetof(struct xdp_md, data_end)),
8275 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8276 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8277 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8278 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8279 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8280 			BPF_MOV64_IMM(BPF_REG_0, 0),
8281 			BPF_EXIT_INSN(),
8282 		},
8283 		.errstr = "R1 offset is outside of the packet",
8284 		.result = REJECT,
8285 		.prog_type = BPF_PROG_TYPE_XDP,
8286 	},
8287 	{
8288 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
8289 		.insns = {
8290 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8291 				    offsetof(struct xdp_md, data)),
8292 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8293 				    offsetof(struct xdp_md, data_end)),
8294 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8295 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8296 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8297 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8298 			BPF_MOV64_IMM(BPF_REG_0, 0),
8299 			BPF_EXIT_INSN(),
8300 		},
8301 		.errstr = "R1 offset is outside of the packet",
8302 		.result = REJECT,
8303 		.prog_type = BPF_PROG_TYPE_XDP,
8304 	},
8305 	{
8306 		"XDP pkt read, pkt_data' < pkt_end, good access",
8307 		.insns = {
8308 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8309 				    offsetof(struct xdp_md, data)),
8310 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8311 				    offsetof(struct xdp_md, data_end)),
8312 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8314 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8315 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8316 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8317 			BPF_MOV64_IMM(BPF_REG_0, 0),
8318 			BPF_EXIT_INSN(),
8319 		},
8320 		.result = ACCEPT,
8321 		.prog_type = BPF_PROG_TYPE_XDP,
8322 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8323 	},
8324 	{
8325 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
8326 		.insns = {
8327 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8328 				    offsetof(struct xdp_md, data)),
8329 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8330 				    offsetof(struct xdp_md, data_end)),
8331 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8332 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8333 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8334 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8335 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8336 			BPF_MOV64_IMM(BPF_REG_0, 0),
8337 			BPF_EXIT_INSN(),
8338 		},
8339 		.errstr = "R1 offset is outside of the packet",
8340 		.result = REJECT,
8341 		.prog_type = BPF_PROG_TYPE_XDP,
8342 	},
8343 	{
8344 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
8345 		.insns = {
8346 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8347 				    offsetof(struct xdp_md, data)),
8348 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8349 				    offsetof(struct xdp_md, data_end)),
8350 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8352 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8353 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8354 			BPF_MOV64_IMM(BPF_REG_0, 0),
8355 			BPF_EXIT_INSN(),
8356 		},
8357 		.errstr = "R1 offset is outside of the packet",
8358 		.result = REJECT,
8359 		.prog_type = BPF_PROG_TYPE_XDP,
8360 	},
8361 	{
8362 		"XDP pkt read, pkt_end < pkt_data', good access",
8363 		.insns = {
8364 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8365 				    offsetof(struct xdp_md, data)),
8366 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8367 				    offsetof(struct xdp_md, data_end)),
8368 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8369 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8370 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8371 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8372 			BPF_MOV64_IMM(BPF_REG_0, 0),
8373 			BPF_EXIT_INSN(),
8374 		},
8375 		.result = ACCEPT,
8376 		.prog_type = BPF_PROG_TYPE_XDP,
8377 	},
8378 	{
8379 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
8380 		.insns = {
8381 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8382 				    offsetof(struct xdp_md, data)),
8383 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8384 				    offsetof(struct xdp_md, data_end)),
8385 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8386 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8387 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8388 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8389 			BPF_MOV64_IMM(BPF_REG_0, 0),
8390 			BPF_EXIT_INSN(),
8391 		},
8392 		.errstr = "R1 offset is outside of the packet",
8393 		.result = REJECT,
8394 		.prog_type = BPF_PROG_TYPE_XDP,
8395 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8396 	},
8397 	{
8398 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
8399 		.insns = {
8400 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8401 				    offsetof(struct xdp_md, data)),
8402 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8403 				    offsetof(struct xdp_md, data_end)),
8404 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8405 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8406 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8407 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8408 			BPF_MOV64_IMM(BPF_REG_0, 0),
8409 			BPF_EXIT_INSN(),
8410 		},
8411 		.errstr = "R1 offset is outside of the packet",
8412 		.result = REJECT,
8413 		.prog_type = BPF_PROG_TYPE_XDP,
8414 	},
8415 	{
8416 		"XDP pkt read, pkt_data' >= pkt_end, good access",
8417 		.insns = {
8418 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8419 				    offsetof(struct xdp_md, data)),
8420 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8421 				    offsetof(struct xdp_md, data_end)),
8422 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8423 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8424 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8425 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8426 			BPF_MOV64_IMM(BPF_REG_0, 0),
8427 			BPF_EXIT_INSN(),
8428 		},
8429 		.result = ACCEPT,
8430 		.prog_type = BPF_PROG_TYPE_XDP,
8431 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8432 	},
8433 	{
8434 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8435 		.insns = {
8436 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8437 				    offsetof(struct xdp_md, data)),
8438 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8439 				    offsetof(struct xdp_md, data_end)),
8440 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8442 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8443 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8444 			BPF_MOV64_IMM(BPF_REG_0, 0),
8445 			BPF_EXIT_INSN(),
8446 		},
8447 		.errstr = "R1 offset is outside of the packet",
8448 		.result = REJECT,
8449 		.prog_type = BPF_PROG_TYPE_XDP,
8450 	},
8451 	{
8452 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8453 		.insns = {
8454 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8455 				    offsetof(struct xdp_md, data)),
8456 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8457 				    offsetof(struct xdp_md, data_end)),
8458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8460 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8461 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8462 			BPF_MOV64_IMM(BPF_REG_0, 0),
8463 			BPF_EXIT_INSN(),
8464 		},
8465 		.errstr = "R1 offset is outside of the packet",
8466 		.result = REJECT,
8467 		.prog_type = BPF_PROG_TYPE_XDP,
8468 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8469 	},
8470 	{
8471 		"XDP pkt read, pkt_end >= pkt_data', good access",
8472 		.insns = {
8473 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8474 				    offsetof(struct xdp_md, data)),
8475 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8476 				    offsetof(struct xdp_md, data_end)),
8477 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8479 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8480 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8481 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8482 			BPF_MOV64_IMM(BPF_REG_0, 0),
8483 			BPF_EXIT_INSN(),
8484 		},
8485 		.result = ACCEPT,
8486 		.prog_type = BPF_PROG_TYPE_XDP,
8487 	},
8488 	{
8489 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
8490 		.insns = {
8491 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8492 				    offsetof(struct xdp_md, data)),
8493 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8494 				    offsetof(struct xdp_md, data_end)),
8495 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8496 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8497 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8498 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8499 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8500 			BPF_MOV64_IMM(BPF_REG_0, 0),
8501 			BPF_EXIT_INSN(),
8502 		},
8503 		.errstr = "R1 offset is outside of the packet",
8504 		.result = REJECT,
8505 		.prog_type = BPF_PROG_TYPE_XDP,
8506 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8507 	},
8508 	{
8509 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
8510 		.insns = {
8511 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8512 				    offsetof(struct xdp_md, data)),
8513 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8514 				    offsetof(struct xdp_md, data_end)),
8515 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8516 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8517 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8518 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8519 			BPF_MOV64_IMM(BPF_REG_0, 0),
8520 			BPF_EXIT_INSN(),
8521 		},
8522 		.errstr = "R1 offset is outside of the packet",
8523 		.result = REJECT,
8524 		.prog_type = BPF_PROG_TYPE_XDP,
8525 	},
8526 	{
8527 		"XDP pkt read, pkt_data' <= pkt_end, good access",
8528 		.insns = {
8529 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8530 				    offsetof(struct xdp_md, data)),
8531 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8532 				    offsetof(struct xdp_md, data_end)),
8533 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8535 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8536 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8537 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8538 			BPF_MOV64_IMM(BPF_REG_0, 0),
8539 			BPF_EXIT_INSN(),
8540 		},
8541 		.result = ACCEPT,
8542 		.prog_type = BPF_PROG_TYPE_XDP,
8543 	},
8544 	{
8545 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8546 		.insns = {
8547 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8548 				    offsetof(struct xdp_md, data)),
8549 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8550 				    offsetof(struct xdp_md, data_end)),
8551 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8552 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8553 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8554 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8555 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8556 			BPF_MOV64_IMM(BPF_REG_0, 0),
8557 			BPF_EXIT_INSN(),
8558 		},
8559 		.errstr = "R1 offset is outside of the packet",
8560 		.result = REJECT,
8561 		.prog_type = BPF_PROG_TYPE_XDP,
8562 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8563 	},
8564 	{
8565 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8566 		.insns = {
8567 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 				    offsetof(struct xdp_md, data)),
8569 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 				    offsetof(struct xdp_md, data_end)),
8571 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8572 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8573 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8574 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8575 			BPF_MOV64_IMM(BPF_REG_0, 0),
8576 			BPF_EXIT_INSN(),
8577 		},
8578 		.errstr = "R1 offset is outside of the packet",
8579 		.result = REJECT,
8580 		.prog_type = BPF_PROG_TYPE_XDP,
8581 	},
8582 	{
8583 		"XDP pkt read, pkt_end <= pkt_data', good access",
8584 		.insns = {
8585 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8586 				    offsetof(struct xdp_md, data)),
8587 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8588 				    offsetof(struct xdp_md, data_end)),
8589 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8590 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8591 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8592 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8593 			BPF_MOV64_IMM(BPF_REG_0, 0),
8594 			BPF_EXIT_INSN(),
8595 		},
8596 		.result = ACCEPT,
8597 		.prog_type = BPF_PROG_TYPE_XDP,
8598 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8599 	},
8600 	{
8601 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
8602 		.insns = {
8603 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8604 				    offsetof(struct xdp_md, data)),
8605 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8606 				    offsetof(struct xdp_md, data_end)),
8607 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8609 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8610 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8611 			BPF_MOV64_IMM(BPF_REG_0, 0),
8612 			BPF_EXIT_INSN(),
8613 		},
8614 		.errstr = "R1 offset is outside of the packet",
8615 		.result = REJECT,
8616 		.prog_type = BPF_PROG_TYPE_XDP,
8617 	},
8618 	{
8619 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
8620 		.insns = {
8621 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8622 				    offsetof(struct xdp_md, data)),
8623 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8624 				    offsetof(struct xdp_md, data_end)),
8625 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8627 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8628 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8629 			BPF_MOV64_IMM(BPF_REG_0, 0),
8630 			BPF_EXIT_INSN(),
8631 		},
8632 		.errstr = "R1 offset is outside of the packet",
8633 		.result = REJECT,
8634 		.prog_type = BPF_PROG_TYPE_XDP,
8635 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8636 	},
8637 	{
8638 		"XDP pkt read, pkt_meta' > pkt_data, good access",
8639 		.insns = {
8640 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8641 				    offsetof(struct xdp_md, data_meta)),
8642 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8643 				    offsetof(struct xdp_md, data)),
8644 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8645 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8646 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8647 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8648 			BPF_MOV64_IMM(BPF_REG_0, 0),
8649 			BPF_EXIT_INSN(),
8650 		},
8651 		.result = ACCEPT,
8652 		.prog_type = BPF_PROG_TYPE_XDP,
8653 	},
8654 	{
8655 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8656 		.insns = {
8657 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8658 				    offsetof(struct xdp_md, data_meta)),
8659 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8660 				    offsetof(struct xdp_md, data)),
8661 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8662 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8663 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8664 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8665 			BPF_MOV64_IMM(BPF_REG_0, 0),
8666 			BPF_EXIT_INSN(),
8667 		},
8668 		.errstr = "R1 offset is outside of the packet",
8669 		.result = REJECT,
8670 		.prog_type = BPF_PROG_TYPE_XDP,
8671 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8672 	},
8673 	{
8674 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8675 		.insns = {
8676 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8677 				    offsetof(struct xdp_md, data_meta)),
8678 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8679 				    offsetof(struct xdp_md, data)),
8680 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8682 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8683 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8684 			BPF_MOV64_IMM(BPF_REG_0, 0),
8685 			BPF_EXIT_INSN(),
8686 		},
8687 		.errstr = "R1 offset is outside of the packet",
8688 		.result = REJECT,
8689 		.prog_type = BPF_PROG_TYPE_XDP,
8690 	},
8691 	{
8692 		"XDP pkt read, pkt_data > pkt_meta', good access",
8693 		.insns = {
8694 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8695 				    offsetof(struct xdp_md, data_meta)),
8696 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8697 				    offsetof(struct xdp_md, data)),
8698 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8700 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8701 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8702 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8703 			BPF_MOV64_IMM(BPF_REG_0, 0),
8704 			BPF_EXIT_INSN(),
8705 		},
8706 		.result = ACCEPT,
8707 		.prog_type = BPF_PROG_TYPE_XDP,
8708 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8709 	},
8710 	{
8711 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
8712 		.insns = {
8713 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8714 				    offsetof(struct xdp_md, data_meta)),
8715 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8716 				    offsetof(struct xdp_md, data)),
8717 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8718 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8719 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8720 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8721 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8722 			BPF_MOV64_IMM(BPF_REG_0, 0),
8723 			BPF_EXIT_INSN(),
8724 		},
8725 		.errstr = "R1 offset is outside of the packet",
8726 		.result = REJECT,
8727 		.prog_type = BPF_PROG_TYPE_XDP,
8728 	},
8729 	{
8730 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
8731 		.insns = {
8732 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8733 				    offsetof(struct xdp_md, data_meta)),
8734 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8735 				    offsetof(struct xdp_md, data)),
8736 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8737 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8738 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8739 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8740 			BPF_MOV64_IMM(BPF_REG_0, 0),
8741 			BPF_EXIT_INSN(),
8742 		},
8743 		.errstr = "R1 offset is outside of the packet",
8744 		.result = REJECT,
8745 		.prog_type = BPF_PROG_TYPE_XDP,
8746 	},
8747 	{
8748 		"XDP pkt read, pkt_meta' < pkt_data, good access",
8749 		.insns = {
8750 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8751 				    offsetof(struct xdp_md, data_meta)),
8752 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8753 				    offsetof(struct xdp_md, data)),
8754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8756 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8757 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8758 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8759 			BPF_MOV64_IMM(BPF_REG_0, 0),
8760 			BPF_EXIT_INSN(),
8761 		},
8762 		.result = ACCEPT,
8763 		.prog_type = BPF_PROG_TYPE_XDP,
8764 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8765 	},
8766 	{
8767 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8768 		.insns = {
8769 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8770 				    offsetof(struct xdp_md, data_meta)),
8771 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8772 				    offsetof(struct xdp_md, data)),
8773 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8775 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8776 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8777 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8778 			BPF_MOV64_IMM(BPF_REG_0, 0),
8779 			BPF_EXIT_INSN(),
8780 		},
8781 		.errstr = "R1 offset is outside of the packet",
8782 		.result = REJECT,
8783 		.prog_type = BPF_PROG_TYPE_XDP,
8784 	},
8785 	{
8786 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8787 		.insns = {
8788 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8789 				    offsetof(struct xdp_md, data_meta)),
8790 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8791 				    offsetof(struct xdp_md, data)),
8792 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8794 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8795 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8796 			BPF_MOV64_IMM(BPF_REG_0, 0),
8797 			BPF_EXIT_INSN(),
8798 		},
8799 		.errstr = "R1 offset is outside of the packet",
8800 		.result = REJECT,
8801 		.prog_type = BPF_PROG_TYPE_XDP,
8802 	},
8803 	{
8804 		"XDP pkt read, pkt_data < pkt_meta', good access",
8805 		.insns = {
8806 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8807 				    offsetof(struct xdp_md, data_meta)),
8808 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8809 				    offsetof(struct xdp_md, data)),
8810 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8812 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8813 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8814 			BPF_MOV64_IMM(BPF_REG_0, 0),
8815 			BPF_EXIT_INSN(),
8816 		},
8817 		.result = ACCEPT,
8818 		.prog_type = BPF_PROG_TYPE_XDP,
8819 	},
8820 	{
8821 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
8822 		.insns = {
8823 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8824 				    offsetof(struct xdp_md, data_meta)),
8825 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8826 				    offsetof(struct xdp_md, data)),
8827 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8829 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8830 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8831 			BPF_MOV64_IMM(BPF_REG_0, 0),
8832 			BPF_EXIT_INSN(),
8833 		},
8834 		.errstr = "R1 offset is outside of the packet",
8835 		.result = REJECT,
8836 		.prog_type = BPF_PROG_TYPE_XDP,
8837 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8838 	},
8839 	{
8840 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
8841 		.insns = {
8842 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8843 				    offsetof(struct xdp_md, data_meta)),
8844 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8845 				    offsetof(struct xdp_md, data)),
8846 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8848 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8849 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8850 			BPF_MOV64_IMM(BPF_REG_0, 0),
8851 			BPF_EXIT_INSN(),
8852 		},
8853 		.errstr = "R1 offset is outside of the packet",
8854 		.result = REJECT,
8855 		.prog_type = BPF_PROG_TYPE_XDP,
8856 	},
8857 	{
8858 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
8859 		.insns = {
8860 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8861 				    offsetof(struct xdp_md, data_meta)),
8862 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8863 				    offsetof(struct xdp_md, data)),
8864 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8866 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8867 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8868 			BPF_MOV64_IMM(BPF_REG_0, 0),
8869 			BPF_EXIT_INSN(),
8870 		},
8871 		.result = ACCEPT,
8872 		.prog_type = BPF_PROG_TYPE_XDP,
8873 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8874 	},
8875 	{
8876 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8877 		.insns = {
8878 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8879 				    offsetof(struct xdp_md, data_meta)),
8880 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8881 				    offsetof(struct xdp_md, data)),
8882 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8883 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8884 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8885 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8886 			BPF_MOV64_IMM(BPF_REG_0, 0),
8887 			BPF_EXIT_INSN(),
8888 		},
8889 		.errstr = "R1 offset is outside of the packet",
8890 		.result = REJECT,
8891 		.prog_type = BPF_PROG_TYPE_XDP,
8892 	},
8893 	{
8894 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8895 		.insns = {
8896 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8897 				    offsetof(struct xdp_md, data_meta)),
8898 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8899 				    offsetof(struct xdp_md, data)),
8900 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8901 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8902 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8903 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8904 			BPF_MOV64_IMM(BPF_REG_0, 0),
8905 			BPF_EXIT_INSN(),
8906 		},
8907 		.errstr = "R1 offset is outside of the packet",
8908 		.result = REJECT,
8909 		.prog_type = BPF_PROG_TYPE_XDP,
8910 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8911 	},
8912 	{
8913 		"XDP pkt read, pkt_data >= pkt_meta', good access",
8914 		.insns = {
8915 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8916 				    offsetof(struct xdp_md, data_meta)),
8917 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8918 				    offsetof(struct xdp_md, data)),
8919 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8920 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8921 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8922 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8923 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8924 			BPF_MOV64_IMM(BPF_REG_0, 0),
8925 			BPF_EXIT_INSN(),
8926 		},
8927 		.result = ACCEPT,
8928 		.prog_type = BPF_PROG_TYPE_XDP,
8929 	},
8930 	{
8931 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8932 		.insns = {
8933 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8934 				    offsetof(struct xdp_md, data_meta)),
8935 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8936 				    offsetof(struct xdp_md, data)),
8937 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8938 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8939 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8940 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8941 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8942 			BPF_MOV64_IMM(BPF_REG_0, 0),
8943 			BPF_EXIT_INSN(),
8944 		},
8945 		.errstr = "R1 offset is outside of the packet",
8946 		.result = REJECT,
8947 		.prog_type = BPF_PROG_TYPE_XDP,
8948 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8949 	},
8950 	{
8951 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
8952 		.insns = {
8953 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8954 				    offsetof(struct xdp_md, data_meta)),
8955 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8956 				    offsetof(struct xdp_md, data)),
8957 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8958 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8959 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8960 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8961 			BPF_MOV64_IMM(BPF_REG_0, 0),
8962 			BPF_EXIT_INSN(),
8963 		},
8964 		.errstr = "R1 offset is outside of the packet",
8965 		.result = REJECT,
8966 		.prog_type = BPF_PROG_TYPE_XDP,
8967 	},
8968 	{
8969 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
8970 		.insns = {
8971 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8972 				    offsetof(struct xdp_md, data_meta)),
8973 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8974 				    offsetof(struct xdp_md, data)),
8975 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8977 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8978 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8979 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8980 			BPF_MOV64_IMM(BPF_REG_0, 0),
8981 			BPF_EXIT_INSN(),
8982 		},
8983 		.result = ACCEPT,
8984 		.prog_type = BPF_PROG_TYPE_XDP,
8985 	},
8986 	{
8987 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
8988 		.insns = {
8989 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8990 				    offsetof(struct xdp_md, data_meta)),
8991 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8992 				    offsetof(struct xdp_md, data)),
8993 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8995 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8996 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8997 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8998 			BPF_MOV64_IMM(BPF_REG_0, 0),
8999 			BPF_EXIT_INSN(),
9000 		},
9001 		.errstr = "R1 offset is outside of the packet",
9002 		.result = REJECT,
9003 		.prog_type = BPF_PROG_TYPE_XDP,
9004 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9005 	},
9006 	{
9007 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9008 		.insns = {
9009 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9010 				    offsetof(struct xdp_md, data_meta)),
9011 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9012 				    offsetof(struct xdp_md, data)),
9013 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9015 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9016 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9017 			BPF_MOV64_IMM(BPF_REG_0, 0),
9018 			BPF_EXIT_INSN(),
9019 		},
9020 		.errstr = "R1 offset is outside of the packet",
9021 		.result = REJECT,
9022 		.prog_type = BPF_PROG_TYPE_XDP,
9023 	},
9024 	{
9025 		"XDP pkt read, pkt_data <= pkt_meta', good access",
9026 		.insns = {
9027 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9028 				    offsetof(struct xdp_md, data_meta)),
9029 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9030 				    offsetof(struct xdp_md, data)),
9031 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9032 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9033 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9034 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9035 			BPF_MOV64_IMM(BPF_REG_0, 0),
9036 			BPF_EXIT_INSN(),
9037 		},
9038 		.result = ACCEPT,
9039 		.prog_type = BPF_PROG_TYPE_XDP,
9040 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9041 	},
9042 	{
9043 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9044 		.insns = {
9045 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9046 				    offsetof(struct xdp_md, data_meta)),
9047 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9048 				    offsetof(struct xdp_md, data)),
9049 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9050 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9051 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9052 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9053 			BPF_MOV64_IMM(BPF_REG_0, 0),
9054 			BPF_EXIT_INSN(),
9055 		},
9056 		.errstr = "R1 offset is outside of the packet",
9057 		.result = REJECT,
9058 		.prog_type = BPF_PROG_TYPE_XDP,
9059 	},
9060 	{
9061 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9062 		.insns = {
9063 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9064 				    offsetof(struct xdp_md, data_meta)),
9065 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9066 				    offsetof(struct xdp_md, data)),
9067 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9068 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9069 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9070 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9071 			BPF_MOV64_IMM(BPF_REG_0, 0),
9072 			BPF_EXIT_INSN(),
9073 		},
9074 		.errstr = "R1 offset is outside of the packet",
9075 		.result = REJECT,
9076 		.prog_type = BPF_PROG_TYPE_XDP,
9077 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9078 	},
9079 	{
9080 		"check deducing bounds from const, 1",
9081 		.insns = {
9082 			BPF_MOV64_IMM(BPF_REG_0, 1),
9083 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9084 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9085 			BPF_EXIT_INSN(),
9086 		},
9087 		.result = REJECT,
9088 		.errstr = "R0 tried to subtract pointer from scalar",
9089 	},
9090 	{
9091 		"check deducing bounds from const, 2",
9092 		.insns = {
9093 			BPF_MOV64_IMM(BPF_REG_0, 1),
9094 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9095 			BPF_EXIT_INSN(),
9096 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9097 			BPF_EXIT_INSN(),
9098 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9099 			BPF_EXIT_INSN(),
9100 		},
9101 		.result = ACCEPT,
9102 		.retval = 1,
9103 	},
9104 	{
9105 		"check deducing bounds from const, 3",
9106 		.insns = {
9107 			BPF_MOV64_IMM(BPF_REG_0, 0),
9108 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9109 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9110 			BPF_EXIT_INSN(),
9111 		},
9112 		.result = REJECT,
9113 		.errstr = "R0 tried to subtract pointer from scalar",
9114 	},
9115 	{
9116 		"check deducing bounds from const, 4",
9117 		.insns = {
9118 			BPF_MOV64_IMM(BPF_REG_0, 0),
9119 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9120 			BPF_EXIT_INSN(),
9121 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9122 			BPF_EXIT_INSN(),
9123 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9124 			BPF_EXIT_INSN(),
9125 		},
9126 		.result = ACCEPT,
9127 	},
9128 	{
9129 		"check deducing bounds from const, 5",
9130 		.insns = {
9131 			BPF_MOV64_IMM(BPF_REG_0, 0),
9132 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9133 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9134 			BPF_EXIT_INSN(),
9135 		},
9136 		.result = REJECT,
9137 		.errstr = "R0 tried to subtract pointer from scalar",
9138 	},
9139 	{
9140 		"check deducing bounds from const, 6",
9141 		.insns = {
9142 			BPF_MOV64_IMM(BPF_REG_0, 0),
9143 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9144 			BPF_EXIT_INSN(),
9145 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9146 			BPF_EXIT_INSN(),
9147 		},
9148 		.result = REJECT,
9149 		.errstr = "R0 tried to subtract pointer from scalar",
9150 	},
9151 	{
9152 		"check deducing bounds from const, 7",
9153 		.insns = {
9154 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9155 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9156 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9157 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9158 				    offsetof(struct __sk_buff, mark)),
9159 			BPF_EXIT_INSN(),
9160 		},
9161 		.result = REJECT,
9162 		.errstr = "dereference of modified ctx ptr",
9163 	},
9164 	{
9165 		"check deducing bounds from const, 8",
9166 		.insns = {
9167 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9168 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9169 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9170 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9171 				    offsetof(struct __sk_buff, mark)),
9172 			BPF_EXIT_INSN(),
9173 		},
9174 		.result = REJECT,
9175 		.errstr = "dereference of modified ctx ptr",
9176 	},
9177 	{
9178 		"check deducing bounds from const, 9",
9179 		.insns = {
9180 			BPF_MOV64_IMM(BPF_REG_0, 0),
9181 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9182 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9183 			BPF_EXIT_INSN(),
9184 		},
9185 		.result = REJECT,
9186 		.errstr = "R0 tried to subtract pointer from scalar",
9187 	},
9188 	{
9189 		"check deducing bounds from const, 10",
9190 		.insns = {
9191 			BPF_MOV64_IMM(BPF_REG_0, 0),
9192 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9193 			/* Marks reg as unknown. */
9194 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9195 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9196 			BPF_EXIT_INSN(),
9197 		},
9198 		.result = REJECT,
9199 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9200 	},
9201 	{
9202 		"bpf_exit with invalid return code. test1",
9203 		.insns = {
9204 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9205 			BPF_EXIT_INSN(),
9206 		},
9207 		.errstr = "R0 has value (0x0; 0xffffffff)",
9208 		.result = REJECT,
9209 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9210 	},
9211 	{
9212 		"bpf_exit with invalid return code. test2",
9213 		.insns = {
9214 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9215 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9216 			BPF_EXIT_INSN(),
9217 		},
9218 		.result = ACCEPT,
9219 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9220 	},
9221 	{
9222 		"bpf_exit with invalid return code. test3",
9223 		.insns = {
9224 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9225 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9226 			BPF_EXIT_INSN(),
9227 		},
9228 		.errstr = "R0 has value (0x0; 0x3)",
9229 		.result = REJECT,
9230 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9231 	},
9232 	{
9233 		"bpf_exit with invalid return code. test4",
9234 		.insns = {
9235 			BPF_MOV64_IMM(BPF_REG_0, 1),
9236 			BPF_EXIT_INSN(),
9237 		},
9238 		.result = ACCEPT,
9239 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9240 	},
9241 	{
9242 		"bpf_exit with invalid return code. test5",
9243 		.insns = {
9244 			BPF_MOV64_IMM(BPF_REG_0, 2),
9245 			BPF_EXIT_INSN(),
9246 		},
9247 		.errstr = "R0 has value (0x2; 0x0)",
9248 		.result = REJECT,
9249 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9250 	},
9251 	{
9252 		"bpf_exit with invalid return code. test6",
9253 		.insns = {
9254 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9255 			BPF_EXIT_INSN(),
9256 		},
9257 		.errstr = "R0 is not a known value (ctx)",
9258 		.result = REJECT,
9259 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9260 	},
9261 	{
9262 		"bpf_exit with invalid return code. test7",
9263 		.insns = {
9264 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9265 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9266 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9267 			BPF_EXIT_INSN(),
9268 		},
9269 		.errstr = "R0 has unknown scalar value",
9270 		.result = REJECT,
9271 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9272 	},
9273 	{
9274 		"calls: basic sanity",
9275 		.insns = {
9276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9277 			BPF_MOV64_IMM(BPF_REG_0, 1),
9278 			BPF_EXIT_INSN(),
9279 			BPF_MOV64_IMM(BPF_REG_0, 2),
9280 			BPF_EXIT_INSN(),
9281 		},
9282 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9283 		.result = ACCEPT,
9284 	},
9285 	{
9286 		"calls: not on unpriviledged",
9287 		.insns = {
9288 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9289 			BPF_MOV64_IMM(BPF_REG_0, 1),
9290 			BPF_EXIT_INSN(),
9291 			BPF_MOV64_IMM(BPF_REG_0, 2),
9292 			BPF_EXIT_INSN(),
9293 		},
9294 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9295 		.result_unpriv = REJECT,
9296 		.result = ACCEPT,
9297 		.retval = 1,
9298 	},
9299 	{
9300 		"calls: div by 0 in subprog",
9301 		.insns = {
9302 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9303 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9304 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9305 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9306 				    offsetof(struct __sk_buff, data_end)),
9307 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9308 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9309 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9310 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9311 			BPF_MOV64_IMM(BPF_REG_0, 1),
9312 			BPF_EXIT_INSN(),
9313 			BPF_MOV32_IMM(BPF_REG_2, 0),
9314 			BPF_MOV32_IMM(BPF_REG_3, 1),
9315 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9316 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9317 				    offsetof(struct __sk_buff, data)),
9318 			BPF_EXIT_INSN(),
9319 		},
9320 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9321 		.result = ACCEPT,
9322 		.retval = 1,
9323 	},
9324 	{
9325 		"calls: multiple ret types in subprog 1",
9326 		.insns = {
9327 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9328 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9329 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9330 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9331 				    offsetof(struct __sk_buff, data_end)),
9332 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9333 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9334 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9335 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9336 			BPF_MOV64_IMM(BPF_REG_0, 1),
9337 			BPF_EXIT_INSN(),
9338 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9339 				    offsetof(struct __sk_buff, data)),
9340 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9341 			BPF_MOV32_IMM(BPF_REG_0, 42),
9342 			BPF_EXIT_INSN(),
9343 		},
9344 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9345 		.result = REJECT,
9346 		.errstr = "R0 invalid mem access 'inv'",
9347 	},
9348 	{
9349 		"calls: multiple ret types in subprog 2",
9350 		.insns = {
9351 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9352 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9353 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9354 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9355 				    offsetof(struct __sk_buff, data_end)),
9356 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9357 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9358 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9359 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9360 			BPF_MOV64_IMM(BPF_REG_0, 1),
9361 			BPF_EXIT_INSN(),
9362 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9363 				    offsetof(struct __sk_buff, data)),
9364 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9365 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9366 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9367 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9368 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9369 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9370 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9371 				     BPF_FUNC_map_lookup_elem),
9372 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9373 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9374 				    offsetof(struct __sk_buff, data)),
9375 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9376 			BPF_EXIT_INSN(),
9377 		},
9378 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9379 		.fixup_map1 = { 16 },
9380 		.result = REJECT,
9381 		.errstr = "R0 min value is outside of the array range",
9382 	},
9383 	{
9384 		"calls: overlapping caller/callee",
9385 		.insns = {
9386 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9387 			BPF_MOV64_IMM(BPF_REG_0, 1),
9388 			BPF_EXIT_INSN(),
9389 		},
9390 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9391 		.errstr = "last insn is not an exit or jmp",
9392 		.result = REJECT,
9393 	},
9394 	{
9395 		"calls: wrong recursive calls",
9396 		.insns = {
9397 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9398 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9399 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9400 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9401 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9402 			BPF_MOV64_IMM(BPF_REG_0, 1),
9403 			BPF_EXIT_INSN(),
9404 		},
9405 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9406 		.errstr = "jump out of range",
9407 		.result = REJECT,
9408 	},
9409 	{
9410 		"calls: wrong src reg",
9411 		.insns = {
9412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9413 			BPF_MOV64_IMM(BPF_REG_0, 1),
9414 			BPF_EXIT_INSN(),
9415 		},
9416 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9417 		.errstr = "BPF_CALL uses reserved fields",
9418 		.result = REJECT,
9419 	},
9420 	{
9421 		"calls: wrong off value",
9422 		.insns = {
9423 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9424 			BPF_MOV64_IMM(BPF_REG_0, 1),
9425 			BPF_EXIT_INSN(),
9426 			BPF_MOV64_IMM(BPF_REG_0, 2),
9427 			BPF_EXIT_INSN(),
9428 		},
9429 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9430 		.errstr = "BPF_CALL uses reserved fields",
9431 		.result = REJECT,
9432 	},
9433 	{
9434 		"calls: jump back loop",
9435 		.insns = {
9436 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9437 			BPF_MOV64_IMM(BPF_REG_0, 1),
9438 			BPF_EXIT_INSN(),
9439 		},
9440 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9441 		.errstr = "back-edge from insn 0 to 0",
9442 		.result = REJECT,
9443 	},
9444 	{
9445 		"calls: conditional call",
9446 		.insns = {
9447 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9448 				    offsetof(struct __sk_buff, mark)),
9449 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9450 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9451 			BPF_MOV64_IMM(BPF_REG_0, 1),
9452 			BPF_EXIT_INSN(),
9453 			BPF_MOV64_IMM(BPF_REG_0, 2),
9454 			BPF_EXIT_INSN(),
9455 		},
9456 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9457 		.errstr = "jump out of range",
9458 		.result = REJECT,
9459 	},
9460 	{
9461 		"calls: conditional call 2",
9462 		.insns = {
9463 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9464 				    offsetof(struct __sk_buff, mark)),
9465 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9466 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9467 			BPF_MOV64_IMM(BPF_REG_0, 1),
9468 			BPF_EXIT_INSN(),
9469 			BPF_MOV64_IMM(BPF_REG_0, 2),
9470 			BPF_EXIT_INSN(),
9471 			BPF_MOV64_IMM(BPF_REG_0, 3),
9472 			BPF_EXIT_INSN(),
9473 		},
9474 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9475 		.result = ACCEPT,
9476 	},
9477 	{
9478 		"calls: conditional call 3",
9479 		.insns = {
9480 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9481 				    offsetof(struct __sk_buff, mark)),
9482 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9483 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9484 			BPF_MOV64_IMM(BPF_REG_0, 1),
9485 			BPF_EXIT_INSN(),
9486 			BPF_MOV64_IMM(BPF_REG_0, 1),
9487 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9488 			BPF_MOV64_IMM(BPF_REG_0, 3),
9489 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9490 		},
9491 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9492 		.errstr = "back-edge from insn",
9493 		.result = REJECT,
9494 	},
9495 	{
9496 		"calls: conditional call 4",
9497 		.insns = {
9498 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9499 				    offsetof(struct __sk_buff, mark)),
9500 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9501 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9502 			BPF_MOV64_IMM(BPF_REG_0, 1),
9503 			BPF_EXIT_INSN(),
9504 			BPF_MOV64_IMM(BPF_REG_0, 1),
9505 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9506 			BPF_MOV64_IMM(BPF_REG_0, 3),
9507 			BPF_EXIT_INSN(),
9508 		},
9509 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9510 		.result = ACCEPT,
9511 	},
9512 	{
9513 		"calls: conditional call 5",
9514 		.insns = {
9515 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9516 				    offsetof(struct __sk_buff, mark)),
9517 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9518 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9519 			BPF_MOV64_IMM(BPF_REG_0, 1),
9520 			BPF_EXIT_INSN(),
9521 			BPF_MOV64_IMM(BPF_REG_0, 1),
9522 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9523 			BPF_MOV64_IMM(BPF_REG_0, 3),
9524 			BPF_EXIT_INSN(),
9525 		},
9526 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9527 		.errstr = "back-edge from insn",
9528 		.result = REJECT,
9529 	},
9530 	{
9531 		"calls: conditional call 6",
9532 		.insns = {
9533 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9534 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9535 			BPF_EXIT_INSN(),
9536 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9537 				    offsetof(struct __sk_buff, mark)),
9538 			BPF_EXIT_INSN(),
9539 		},
9540 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9541 		.errstr = "back-edge from insn",
9542 		.result = REJECT,
9543 	},
9544 	{
9545 		"calls: using r0 returned by callee",
9546 		.insns = {
9547 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9548 			BPF_EXIT_INSN(),
9549 			BPF_MOV64_IMM(BPF_REG_0, 2),
9550 			BPF_EXIT_INSN(),
9551 		},
9552 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9553 		.result = ACCEPT,
9554 	},
9555 	{
9556 		"calls: using uninit r0 from callee",
9557 		.insns = {
9558 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9559 			BPF_EXIT_INSN(),
9560 			BPF_EXIT_INSN(),
9561 		},
9562 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9563 		.errstr = "!read_ok",
9564 		.result = REJECT,
9565 	},
9566 	{
9567 		"calls: callee is using r1",
9568 		.insns = {
9569 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9570 			BPF_EXIT_INSN(),
9571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9572 				    offsetof(struct __sk_buff, len)),
9573 			BPF_EXIT_INSN(),
9574 		},
9575 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
9576 		.result = ACCEPT,
9577 		.retval = TEST_DATA_LEN,
9578 	},
9579 	{
9580 		"calls: callee using args1",
9581 		.insns = {
9582 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9583 			BPF_EXIT_INSN(),
9584 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9585 			BPF_EXIT_INSN(),
9586 		},
9587 		.errstr_unpriv = "allowed for root only",
9588 		.result_unpriv = REJECT,
9589 		.result = ACCEPT,
9590 		.retval = POINTER_VALUE,
9591 	},
9592 	{
9593 		"calls: callee using wrong args2",
9594 		.insns = {
9595 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9596 			BPF_EXIT_INSN(),
9597 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9598 			BPF_EXIT_INSN(),
9599 		},
9600 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9601 		.errstr = "R2 !read_ok",
9602 		.result = REJECT,
9603 	},
9604 	{
9605 		"calls: callee using two args",
9606 		.insns = {
9607 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9608 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
9609 				    offsetof(struct __sk_buff, len)),
9610 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
9611 				    offsetof(struct __sk_buff, len)),
9612 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9613 			BPF_EXIT_INSN(),
9614 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9615 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9616 			BPF_EXIT_INSN(),
9617 		},
9618 		.errstr_unpriv = "allowed for root only",
9619 		.result_unpriv = REJECT,
9620 		.result = ACCEPT,
9621 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
9622 	},
9623 	{
9624 		"calls: callee changing pkt pointers",
9625 		.insns = {
9626 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9627 				    offsetof(struct xdp_md, data)),
9628 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
9629 				    offsetof(struct xdp_md, data_end)),
9630 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
9631 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
9632 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
9633 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9634 			/* clear_all_pkt_pointers() has to walk all frames
9635 			 * to make sure that pkt pointers in the caller
9636 			 * are cleared when callee is calling a helper that
9637 			 * adjusts packet size
9638 			 */
9639 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9640 			BPF_MOV32_IMM(BPF_REG_0, 0),
9641 			BPF_EXIT_INSN(),
9642 			BPF_MOV64_IMM(BPF_REG_2, 0),
9643 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9644 				     BPF_FUNC_xdp_adjust_head),
9645 			BPF_EXIT_INSN(),
9646 		},
9647 		.result = REJECT,
9648 		.errstr = "R6 invalid mem access 'inv'",
9649 		.prog_type = BPF_PROG_TYPE_XDP,
9650 	},
9651 	{
9652 		"calls: two calls with args",
9653 		.insns = {
9654 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9655 			BPF_EXIT_INSN(),
9656 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9657 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9658 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9659 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9660 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9661 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9662 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9663 			BPF_EXIT_INSN(),
9664 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9665 				    offsetof(struct __sk_buff, len)),
9666 			BPF_EXIT_INSN(),
9667 		},
9668 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9669 		.result = ACCEPT,
9670 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
9671 	},
9672 	{
9673 		"calls: calls with stack arith",
9674 		.insns = {
9675 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9676 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9677 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9678 			BPF_EXIT_INSN(),
9679 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9680 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9681 			BPF_EXIT_INSN(),
9682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9683 			BPF_MOV64_IMM(BPF_REG_0, 42),
9684 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9685 			BPF_EXIT_INSN(),
9686 		},
9687 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9688 		.result = ACCEPT,
9689 		.retval = 42,
9690 	},
9691 	{
9692 		"calls: calls with misaligned stack access",
9693 		.insns = {
9694 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9695 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9696 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9697 			BPF_EXIT_INSN(),
9698 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
9699 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9700 			BPF_EXIT_INSN(),
9701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9702 			BPF_MOV64_IMM(BPF_REG_0, 42),
9703 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9704 			BPF_EXIT_INSN(),
9705 		},
9706 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9707 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
9708 		.errstr = "misaligned stack access",
9709 		.result = REJECT,
9710 	},
9711 	{
9712 		"calls: calls control flow, jump test",
9713 		.insns = {
9714 			BPF_MOV64_IMM(BPF_REG_0, 42),
9715 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9716 			BPF_MOV64_IMM(BPF_REG_0, 43),
9717 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9718 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
9719 			BPF_EXIT_INSN(),
9720 		},
9721 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9722 		.result = ACCEPT,
9723 		.retval = 43,
9724 	},
9725 	{
9726 		"calls: calls control flow, jump test 2",
9727 		.insns = {
9728 			BPF_MOV64_IMM(BPF_REG_0, 42),
9729 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9730 			BPF_MOV64_IMM(BPF_REG_0, 43),
9731 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9732 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9733 			BPF_EXIT_INSN(),
9734 		},
9735 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9736 		.errstr = "jump out of range from insn 1 to 4",
9737 		.result = REJECT,
9738 	},
9739 	{
9740 		"calls: two calls with bad jump",
9741 		.insns = {
9742 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9743 			BPF_EXIT_INSN(),
9744 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9745 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9746 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9747 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9748 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9749 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9750 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9751 			BPF_EXIT_INSN(),
9752 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9753 				    offsetof(struct __sk_buff, len)),
9754 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
9755 			BPF_EXIT_INSN(),
9756 		},
9757 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9758 		.errstr = "jump out of range from insn 11 to 9",
9759 		.result = REJECT,
9760 	},
9761 	{
9762 		"calls: recursive call. test1",
9763 		.insns = {
9764 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9765 			BPF_EXIT_INSN(),
9766 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9767 			BPF_EXIT_INSN(),
9768 		},
9769 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9770 		.errstr = "back-edge",
9771 		.result = REJECT,
9772 	},
9773 	{
9774 		"calls: recursive call. test2",
9775 		.insns = {
9776 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9777 			BPF_EXIT_INSN(),
9778 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9779 			BPF_EXIT_INSN(),
9780 		},
9781 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9782 		.errstr = "back-edge",
9783 		.result = REJECT,
9784 	},
9785 	{
9786 		"calls: unreachable code",
9787 		.insns = {
9788 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9789 			BPF_EXIT_INSN(),
9790 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9791 			BPF_EXIT_INSN(),
9792 			BPF_MOV64_IMM(BPF_REG_0, 0),
9793 			BPF_EXIT_INSN(),
9794 			BPF_MOV64_IMM(BPF_REG_0, 0),
9795 			BPF_EXIT_INSN(),
9796 		},
9797 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9798 		.errstr = "unreachable insn 6",
9799 		.result = REJECT,
9800 	},
9801 	{
9802 		"calls: invalid call",
9803 		.insns = {
9804 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9805 			BPF_EXIT_INSN(),
9806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
9807 			BPF_EXIT_INSN(),
9808 		},
9809 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9810 		.errstr = "invalid destination",
9811 		.result = REJECT,
9812 	},
9813 	{
9814 		"calls: invalid call 2",
9815 		.insns = {
9816 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9817 			BPF_EXIT_INSN(),
9818 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
9819 			BPF_EXIT_INSN(),
9820 		},
9821 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9822 		.errstr = "invalid destination",
9823 		.result = REJECT,
9824 	},
9825 	{
9826 		"calls: jumping across function bodies. test1",
9827 		.insns = {
9828 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9829 			BPF_MOV64_IMM(BPF_REG_0, 0),
9830 			BPF_EXIT_INSN(),
9831 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
9832 			BPF_EXIT_INSN(),
9833 		},
9834 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9835 		.errstr = "jump out of range",
9836 		.result = REJECT,
9837 	},
9838 	{
9839 		"calls: jumping across function bodies. test2",
9840 		.insns = {
9841 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
9842 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9843 			BPF_MOV64_IMM(BPF_REG_0, 0),
9844 			BPF_EXIT_INSN(),
9845 			BPF_EXIT_INSN(),
9846 		},
9847 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9848 		.errstr = "jump out of range",
9849 		.result = REJECT,
9850 	},
9851 	{
9852 		"calls: call without exit",
9853 		.insns = {
9854 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9855 			BPF_EXIT_INSN(),
9856 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9857 			BPF_EXIT_INSN(),
9858 			BPF_MOV64_IMM(BPF_REG_0, 0),
9859 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
9860 		},
9861 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9862 		.errstr = "not an exit",
9863 		.result = REJECT,
9864 	},
9865 	{
9866 		"calls: call into middle of ld_imm64",
9867 		.insns = {
9868 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9869 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9870 			BPF_MOV64_IMM(BPF_REG_0, 0),
9871 			BPF_EXIT_INSN(),
9872 			BPF_LD_IMM64(BPF_REG_0, 0),
9873 			BPF_EXIT_INSN(),
9874 		},
9875 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9876 		.errstr = "last insn",
9877 		.result = REJECT,
9878 	},
9879 	{
9880 		"calls: call into middle of other call",
9881 		.insns = {
9882 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9883 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9884 			BPF_MOV64_IMM(BPF_REG_0, 0),
9885 			BPF_EXIT_INSN(),
9886 			BPF_MOV64_IMM(BPF_REG_0, 0),
9887 			BPF_MOV64_IMM(BPF_REG_0, 0),
9888 			BPF_EXIT_INSN(),
9889 		},
9890 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9891 		.errstr = "last insn",
9892 		.result = REJECT,
9893 	},
9894 	{
9895 		"calls: ld_abs with changing ctx data in callee",
9896 		.insns = {
9897 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9898 			BPF_LD_ABS(BPF_B, 0),
9899 			BPF_LD_ABS(BPF_H, 0),
9900 			BPF_LD_ABS(BPF_W, 0),
9901 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
9902 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
9903 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
9904 			BPF_LD_ABS(BPF_B, 0),
9905 			BPF_LD_ABS(BPF_H, 0),
9906 			BPF_LD_ABS(BPF_W, 0),
9907 			BPF_EXIT_INSN(),
9908 			BPF_MOV64_IMM(BPF_REG_2, 1),
9909 			BPF_MOV64_IMM(BPF_REG_3, 2),
9910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9911 				     BPF_FUNC_skb_vlan_push),
9912 			BPF_EXIT_INSN(),
9913 		},
9914 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9915 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
9916 		.result = REJECT,
9917 	},
9918 	{
9919 		"calls: two calls with bad fallthrough",
9920 		.insns = {
9921 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9922 			BPF_EXIT_INSN(),
9923 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9924 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9925 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9926 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9927 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9928 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9929 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9930 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
9931 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9932 				    offsetof(struct __sk_buff, len)),
9933 			BPF_EXIT_INSN(),
9934 		},
9935 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9936 		.errstr = "not an exit",
9937 		.result = REJECT,
9938 	},
9939 	{
9940 		"calls: two calls with stack read",
9941 		.insns = {
9942 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9943 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9944 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9945 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9946 			BPF_EXIT_INSN(),
9947 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9948 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9949 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9950 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9951 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9952 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9953 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9954 			BPF_EXIT_INSN(),
9955 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9956 			BPF_EXIT_INSN(),
9957 		},
9958 		.prog_type = BPF_PROG_TYPE_XDP,
9959 		.result = ACCEPT,
9960 	},
9961 	{
9962 		"calls: two calls with stack write",
9963 		.insns = {
9964 			/* main prog */
9965 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9966 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9967 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9968 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9969 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9970 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9971 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
9972 			BPF_EXIT_INSN(),
9973 
9974 			/* subprog 1 */
9975 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9976 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9977 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
9978 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
9979 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9980 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9981 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
9982 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
9983 			/* write into stack frame of main prog */
9984 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9985 			BPF_EXIT_INSN(),
9986 
9987 			/* subprog 2 */
9988 			/* read from stack frame of main prog */
9989 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9990 			BPF_EXIT_INSN(),
9991 		},
9992 		.prog_type = BPF_PROG_TYPE_XDP,
9993 		.result = ACCEPT,
9994 	},
9995 	{
9996 		"calls: stack overflow using two frames (pre-call access)",
9997 		.insns = {
9998 			/* prog 1 */
9999 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10000 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10001 			BPF_EXIT_INSN(),
10002 
10003 			/* prog 2 */
10004 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10005 			BPF_MOV64_IMM(BPF_REG_0, 0),
10006 			BPF_EXIT_INSN(),
10007 		},
10008 		.prog_type = BPF_PROG_TYPE_XDP,
10009 		.errstr = "combined stack size",
10010 		.result = REJECT,
10011 	},
10012 	{
10013 		"calls: stack overflow using two frames (post-call access)",
10014 		.insns = {
10015 			/* prog 1 */
10016 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10017 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10018 			BPF_EXIT_INSN(),
10019 
10020 			/* prog 2 */
10021 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10022 			BPF_MOV64_IMM(BPF_REG_0, 0),
10023 			BPF_EXIT_INSN(),
10024 		},
10025 		.prog_type = BPF_PROG_TYPE_XDP,
10026 		.errstr = "combined stack size",
10027 		.result = REJECT,
10028 	},
10029 	{
10030 		"calls: stack depth check using three frames. test1",
10031 		.insns = {
10032 			/* main */
10033 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10034 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10035 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10036 			BPF_MOV64_IMM(BPF_REG_0, 0),
10037 			BPF_EXIT_INSN(),
10038 			/* A */
10039 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10040 			BPF_EXIT_INSN(),
10041 			/* B */
10042 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10043 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10044 			BPF_EXIT_INSN(),
10045 		},
10046 		.prog_type = BPF_PROG_TYPE_XDP,
10047 		/* stack_main=32, stack_A=256, stack_B=64
10048 		 * and max(main+A, main+A+B) < 512
10049 		 */
10050 		.result = ACCEPT,
10051 	},
10052 	{
10053 		"calls: stack depth check using three frames. test2",
10054 		.insns = {
10055 			/* main */
10056 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10057 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10058 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10059 			BPF_MOV64_IMM(BPF_REG_0, 0),
10060 			BPF_EXIT_INSN(),
10061 			/* A */
10062 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10063 			BPF_EXIT_INSN(),
10064 			/* B */
10065 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10066 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10067 			BPF_EXIT_INSN(),
10068 		},
10069 		.prog_type = BPF_PROG_TYPE_XDP,
10070 		/* stack_main=32, stack_A=64, stack_B=256
10071 		 * and max(main+A, main+A+B) < 512
10072 		 */
10073 		.result = ACCEPT,
10074 	},
10075 	{
10076 		"calls: stack depth check using three frames. test3",
10077 		.insns = {
10078 			/* main */
10079 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10080 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10081 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10082 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10083 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10084 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10085 			BPF_MOV64_IMM(BPF_REG_0, 0),
10086 			BPF_EXIT_INSN(),
10087 			/* A */
10088 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10089 			BPF_EXIT_INSN(),
10090 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10091 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10092 			/* B */
10093 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10094 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10095 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10096 			BPF_EXIT_INSN(),
10097 		},
10098 		.prog_type = BPF_PROG_TYPE_XDP,
10099 		/* stack_main=64, stack_A=224, stack_B=256
10100 		 * and max(main+A, main+A+B) > 512
10101 		 */
10102 		.errstr = "combined stack",
10103 		.result = REJECT,
10104 	},
10105 	{
10106 		"calls: stack depth check using three frames. test4",
10107 		/* void main(void) {
10108 		 *   func1(0);
10109 		 *   func1(1);
10110 		 *   func2(1);
10111 		 * }
10112 		 * void func1(int alloc_or_recurse) {
10113 		 *   if (alloc_or_recurse) {
10114 		 *     frame_pointer[-300] = 1;
10115 		 *   } else {
10116 		 *     func2(alloc_or_recurse);
10117 		 *   }
10118 		 * }
10119 		 * void func2(int alloc_or_recurse) {
10120 		 *   if (alloc_or_recurse) {
10121 		 *     frame_pointer[-300] = 1;
10122 		 *   }
10123 		 * }
10124 		 */
10125 		.insns = {
10126 			/* main */
10127 			BPF_MOV64_IMM(BPF_REG_1, 0),
10128 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10129 			BPF_MOV64_IMM(BPF_REG_1, 1),
10130 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10131 			BPF_MOV64_IMM(BPF_REG_1, 1),
10132 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10133 			BPF_MOV64_IMM(BPF_REG_0, 0),
10134 			BPF_EXIT_INSN(),
10135 			/* A */
10136 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10137 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10138 			BPF_EXIT_INSN(),
10139 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10140 			BPF_EXIT_INSN(),
10141 			/* B */
10142 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10143 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10144 			BPF_EXIT_INSN(),
10145 		},
10146 		.prog_type = BPF_PROG_TYPE_XDP,
10147 		.result = REJECT,
10148 		.errstr = "combined stack",
10149 	},
10150 	{
10151 		"calls: stack depth check using three frames. test5",
10152 		.insns = {
10153 			/* main */
10154 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10155 			BPF_EXIT_INSN(),
10156 			/* A */
10157 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10158 			BPF_EXIT_INSN(),
10159 			/* B */
10160 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10161 			BPF_EXIT_INSN(),
10162 			/* C */
10163 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10164 			BPF_EXIT_INSN(),
10165 			/* D */
10166 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10167 			BPF_EXIT_INSN(),
10168 			/* E */
10169 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10170 			BPF_EXIT_INSN(),
10171 			/* F */
10172 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10173 			BPF_EXIT_INSN(),
10174 			/* G */
10175 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10176 			BPF_EXIT_INSN(),
10177 			/* H */
10178 			BPF_MOV64_IMM(BPF_REG_0, 0),
10179 			BPF_EXIT_INSN(),
10180 		},
10181 		.prog_type = BPF_PROG_TYPE_XDP,
10182 		.errstr = "call stack",
10183 		.result = REJECT,
10184 	},
10185 	{
10186 		"calls: spill into caller stack frame",
10187 		.insns = {
10188 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10189 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10191 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10192 			BPF_EXIT_INSN(),
10193 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10194 			BPF_MOV64_IMM(BPF_REG_0, 0),
10195 			BPF_EXIT_INSN(),
10196 		},
10197 		.prog_type = BPF_PROG_TYPE_XDP,
10198 		.errstr = "cannot spill",
10199 		.result = REJECT,
10200 	},
10201 	{
10202 		"calls: write into caller stack frame",
10203 		.insns = {
10204 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10206 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10208 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10209 			BPF_EXIT_INSN(),
10210 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10211 			BPF_MOV64_IMM(BPF_REG_0, 0),
10212 			BPF_EXIT_INSN(),
10213 		},
10214 		.prog_type = BPF_PROG_TYPE_XDP,
10215 		.result = ACCEPT,
10216 		.retval = 42,
10217 	},
10218 	{
10219 		"calls: write into callee stack frame",
10220 		.insns = {
10221 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10222 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10223 			BPF_EXIT_INSN(),
10224 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10226 			BPF_EXIT_INSN(),
10227 		},
10228 		.prog_type = BPF_PROG_TYPE_XDP,
10229 		.errstr = "cannot return stack pointer",
10230 		.result = REJECT,
10231 	},
10232 	{
10233 		"calls: two calls with stack write and void return",
10234 		.insns = {
10235 			/* main prog */
10236 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10237 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10239 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10240 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10241 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10242 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10243 			BPF_EXIT_INSN(),
10244 
10245 			/* subprog 1 */
10246 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10247 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10249 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10250 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10251 			BPF_EXIT_INSN(),
10252 
10253 			/* subprog 2 */
10254 			/* write into stack frame of main prog */
10255 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10256 			BPF_EXIT_INSN(), /* void return */
10257 		},
10258 		.prog_type = BPF_PROG_TYPE_XDP,
10259 		.result = ACCEPT,
10260 	},
10261 	{
10262 		"calls: ambiguous return value",
10263 		.insns = {
10264 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10265 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10266 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10267 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10268 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10269 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10270 			BPF_EXIT_INSN(),
10271 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10272 			BPF_MOV64_IMM(BPF_REG_0, 0),
10273 			BPF_EXIT_INSN(),
10274 		},
10275 		.errstr_unpriv = "allowed for root only",
10276 		.result_unpriv = REJECT,
10277 		.errstr = "R0 !read_ok",
10278 		.result = REJECT,
10279 	},
10280 	{
10281 		"calls: two calls that return map_value",
10282 		.insns = {
10283 			/* main prog */
10284 			/* pass fp-16, fp-8 into a function */
10285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10287 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10288 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10289 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10290 
10291 			/* fetch map_value_ptr from the stack of this function */
10292 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10293 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10294 			/* write into map value */
10295 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10296 			/* fetch secound map_value_ptr from the stack */
10297 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10298 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10299 			/* write into map value */
10300 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10301 			BPF_MOV64_IMM(BPF_REG_0, 0),
10302 			BPF_EXIT_INSN(),
10303 
10304 			/* subprog 1 */
10305 			/* call 3rd function twice */
10306 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10307 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10308 			/* first time with fp-8 */
10309 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10310 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10311 			/* second time with fp-16 */
10312 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10313 			BPF_EXIT_INSN(),
10314 
10315 			/* subprog 2 */
10316 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10317 			/* lookup from map */
10318 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10319 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10321 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10323 				     BPF_FUNC_map_lookup_elem),
10324 			/* write map_value_ptr into stack frame of main prog */
10325 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10326 			BPF_MOV64_IMM(BPF_REG_0, 0),
10327 			BPF_EXIT_INSN(), /* return 0 */
10328 		},
10329 		.prog_type = BPF_PROG_TYPE_XDP,
10330 		.fixup_map1 = { 23 },
10331 		.result = ACCEPT,
10332 	},
10333 	{
10334 		"calls: two calls that return map_value with bool condition",
10335 		.insns = {
10336 			/* main prog */
10337 			/* pass fp-16, fp-8 into a function */
10338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10339 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10340 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10342 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10343 			BPF_MOV64_IMM(BPF_REG_0, 0),
10344 			BPF_EXIT_INSN(),
10345 
10346 			/* subprog 1 */
10347 			/* call 3rd function twice */
10348 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10349 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10350 			/* first time with fp-8 */
10351 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10352 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10353 			/* fetch map_value_ptr from the stack of this function */
10354 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10355 			/* write into map value */
10356 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10357 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10358 			/* second time with fp-16 */
10359 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10360 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10361 			/* fetch secound map_value_ptr from the stack */
10362 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10363 			/* write into map value */
10364 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10365 			BPF_EXIT_INSN(),
10366 
10367 			/* subprog 2 */
10368 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10369 			/* lookup from map */
10370 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10371 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10373 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10374 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10375 				     BPF_FUNC_map_lookup_elem),
10376 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10377 			BPF_MOV64_IMM(BPF_REG_0, 0),
10378 			BPF_EXIT_INSN(), /* return 0 */
10379 			/* write map_value_ptr into stack frame of main prog */
10380 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10381 			BPF_MOV64_IMM(BPF_REG_0, 1),
10382 			BPF_EXIT_INSN(), /* return 1 */
10383 		},
10384 		.prog_type = BPF_PROG_TYPE_XDP,
10385 		.fixup_map1 = { 23 },
10386 		.result = ACCEPT,
10387 	},
10388 	{
10389 		"calls: two calls that return map_value with incorrect bool check",
10390 		.insns = {
10391 			/* main prog */
10392 			/* pass fp-16, fp-8 into a function */
10393 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10394 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10395 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10397 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10398 			BPF_MOV64_IMM(BPF_REG_0, 0),
10399 			BPF_EXIT_INSN(),
10400 
10401 			/* subprog 1 */
10402 			/* call 3rd function twice */
10403 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10404 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10405 			/* first time with fp-8 */
10406 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10407 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10408 			/* fetch map_value_ptr from the stack of this function */
10409 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10410 			/* write into map value */
10411 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10412 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10413 			/* second time with fp-16 */
10414 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10415 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10416 			/* fetch secound map_value_ptr from the stack */
10417 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10418 			/* write into map value */
10419 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10420 			BPF_EXIT_INSN(),
10421 
10422 			/* subprog 2 */
10423 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10424 			/* lookup from map */
10425 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10426 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10427 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10428 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10429 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10430 				     BPF_FUNC_map_lookup_elem),
10431 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10432 			BPF_MOV64_IMM(BPF_REG_0, 0),
10433 			BPF_EXIT_INSN(), /* return 0 */
10434 			/* write map_value_ptr into stack frame of main prog */
10435 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10436 			BPF_MOV64_IMM(BPF_REG_0, 1),
10437 			BPF_EXIT_INSN(), /* return 1 */
10438 		},
10439 		.prog_type = BPF_PROG_TYPE_XDP,
10440 		.fixup_map1 = { 23 },
10441 		.result = REJECT,
10442 		.errstr = "invalid read from stack off -16+0 size 8",
10443 	},
10444 	{
10445 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10446 		.insns = {
10447 			/* main prog */
10448 			/* pass fp-16, fp-8 into a function */
10449 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10450 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10451 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10452 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10453 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10454 			BPF_MOV64_IMM(BPF_REG_0, 0),
10455 			BPF_EXIT_INSN(),
10456 
10457 			/* subprog 1 */
10458 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10459 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10460 			/* 1st lookup from map */
10461 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10462 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10463 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10464 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10465 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10466 				     BPF_FUNC_map_lookup_elem),
10467 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10468 			BPF_MOV64_IMM(BPF_REG_8, 0),
10469 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10470 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10471 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10472 			BPF_MOV64_IMM(BPF_REG_8, 1),
10473 
10474 			/* 2nd lookup from map */
10475 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10476 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10477 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10478 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10479 				     BPF_FUNC_map_lookup_elem),
10480 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10481 			BPF_MOV64_IMM(BPF_REG_9, 0),
10482 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10483 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10484 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10485 			BPF_MOV64_IMM(BPF_REG_9, 1),
10486 
10487 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10488 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10489 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10490 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10491 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10493 			BPF_EXIT_INSN(),
10494 
10495 			/* subprog 2 */
10496 			/* if arg2 == 1 do *arg1 = 0 */
10497 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10498 			/* fetch map_value_ptr from the stack of this function */
10499 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10500 			/* write into map value */
10501 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10502 
10503 			/* if arg4 == 1 do *arg3 = 0 */
10504 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10505 			/* fetch map_value_ptr from the stack of this function */
10506 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10507 			/* write into map value */
10508 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10509 			BPF_EXIT_INSN(),
10510 		},
10511 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10512 		.fixup_map1 = { 12, 22 },
10513 		.result = REJECT,
10514 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
10515 	},
10516 	{
10517 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10518 		.insns = {
10519 			/* main prog */
10520 			/* pass fp-16, fp-8 into a function */
10521 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10522 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10523 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10524 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10525 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10526 			BPF_MOV64_IMM(BPF_REG_0, 0),
10527 			BPF_EXIT_INSN(),
10528 
10529 			/* subprog 1 */
10530 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10531 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10532 			/* 1st lookup from map */
10533 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10534 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10535 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10536 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10537 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10538 				     BPF_FUNC_map_lookup_elem),
10539 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10540 			BPF_MOV64_IMM(BPF_REG_8, 0),
10541 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10542 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10543 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10544 			BPF_MOV64_IMM(BPF_REG_8, 1),
10545 
10546 			/* 2nd lookup from map */
10547 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10548 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10549 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10550 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10551 				     BPF_FUNC_map_lookup_elem),
10552 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10553 			BPF_MOV64_IMM(BPF_REG_9, 0),
10554 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10555 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10556 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10557 			BPF_MOV64_IMM(BPF_REG_9, 1),
10558 
10559 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10561 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10562 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10563 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10564 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10565 			BPF_EXIT_INSN(),
10566 
10567 			/* subprog 2 */
10568 			/* if arg2 == 1 do *arg1 = 0 */
10569 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10570 			/* fetch map_value_ptr from the stack of this function */
10571 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10572 			/* write into map value */
10573 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10574 
10575 			/* if arg4 == 1 do *arg3 = 0 */
10576 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10577 			/* fetch map_value_ptr from the stack of this function */
10578 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10579 			/* write into map value */
10580 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10581 			BPF_EXIT_INSN(),
10582 		},
10583 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10584 		.fixup_map1 = { 12, 22 },
10585 		.result = ACCEPT,
10586 	},
10587 	{
10588 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10589 		.insns = {
10590 			/* main prog */
10591 			/* pass fp-16, fp-8 into a function */
10592 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10593 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10594 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10595 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10596 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10597 			BPF_MOV64_IMM(BPF_REG_0, 0),
10598 			BPF_EXIT_INSN(),
10599 
10600 			/* subprog 1 */
10601 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10602 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10603 			/* 1st lookup from map */
10604 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10605 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10606 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10607 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10608 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10609 				     BPF_FUNC_map_lookup_elem),
10610 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10611 			BPF_MOV64_IMM(BPF_REG_8, 0),
10612 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10613 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10614 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10615 			BPF_MOV64_IMM(BPF_REG_8, 1),
10616 
10617 			/* 2nd lookup from map */
10618 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10619 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10620 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10621 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10622 				     BPF_FUNC_map_lookup_elem),
10623 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10624 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
10625 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10626 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10627 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10628 			BPF_MOV64_IMM(BPF_REG_9, 1),
10629 
10630 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10631 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
10632 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10633 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10634 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10635 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
10636 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
10637 
10638 			/* subprog 2 */
10639 			/* if arg2 == 1 do *arg1 = 0 */
10640 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10641 			/* fetch map_value_ptr from the stack of this function */
10642 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10643 			/* write into map value */
10644 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10645 
10646 			/* if arg4 == 1 do *arg3 = 0 */
10647 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10648 			/* fetch map_value_ptr from the stack of this function */
10649 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10650 			/* write into map value */
10651 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10652 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
10653 		},
10654 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10655 		.fixup_map1 = { 12, 22 },
10656 		.result = REJECT,
10657 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
10658 	},
10659 	{
10660 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
10661 		.insns = {
10662 			/* main prog */
10663 			/* pass fp-16, fp-8 into a function */
10664 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10665 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10666 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10667 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10668 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10669 			BPF_MOV64_IMM(BPF_REG_0, 0),
10670 			BPF_EXIT_INSN(),
10671 
10672 			/* subprog 1 */
10673 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10674 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10675 			/* 1st lookup from map */
10676 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10677 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10678 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10679 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10680 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10681 				     BPF_FUNC_map_lookup_elem),
10682 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10683 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10684 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10685 			BPF_MOV64_IMM(BPF_REG_8, 0),
10686 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10687 			BPF_MOV64_IMM(BPF_REG_8, 1),
10688 
10689 			/* 2nd lookup from map */
10690 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10691 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10692 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10693 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10694 				     BPF_FUNC_map_lookup_elem),
10695 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10696 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10697 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10698 			BPF_MOV64_IMM(BPF_REG_9, 0),
10699 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10700 			BPF_MOV64_IMM(BPF_REG_9, 1),
10701 
10702 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10703 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10704 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10705 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10706 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10707 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10708 			BPF_EXIT_INSN(),
10709 
10710 			/* subprog 2 */
10711 			/* if arg2 == 1 do *arg1 = 0 */
10712 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10713 			/* fetch map_value_ptr from the stack of this function */
10714 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10715 			/* write into map value */
10716 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10717 
10718 			/* if arg4 == 1 do *arg3 = 0 */
10719 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10720 			/* fetch map_value_ptr from the stack of this function */
10721 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10722 			/* write into map value */
10723 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10724 			BPF_EXIT_INSN(),
10725 		},
10726 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10727 		.fixup_map1 = { 12, 22 },
10728 		.result = ACCEPT,
10729 	},
10730 	{
10731 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
10732 		.insns = {
10733 			/* main prog */
10734 			/* pass fp-16, fp-8 into a function */
10735 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10736 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10737 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10738 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10739 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10740 			BPF_MOV64_IMM(BPF_REG_0, 0),
10741 			BPF_EXIT_INSN(),
10742 
10743 			/* subprog 1 */
10744 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10745 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10746 			/* 1st lookup from map */
10747 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10748 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10750 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10751 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10752 				     BPF_FUNC_map_lookup_elem),
10753 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10754 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10755 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10756 			BPF_MOV64_IMM(BPF_REG_8, 0),
10757 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10758 			BPF_MOV64_IMM(BPF_REG_8, 1),
10759 
10760 			/* 2nd lookup from map */
10761 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10763 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10764 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10765 				     BPF_FUNC_map_lookup_elem),
10766 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10767 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10768 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10769 			BPF_MOV64_IMM(BPF_REG_9, 0),
10770 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10771 			BPF_MOV64_IMM(BPF_REG_9, 1),
10772 
10773 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10774 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10775 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10776 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10777 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10778 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10779 			BPF_EXIT_INSN(),
10780 
10781 			/* subprog 2 */
10782 			/* if arg2 == 1 do *arg1 = 0 */
10783 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10784 			/* fetch map_value_ptr from the stack of this function */
10785 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10786 			/* write into map value */
10787 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10788 
10789 			/* if arg4 == 0 do *arg3 = 0 */
10790 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
10791 			/* fetch map_value_ptr from the stack of this function */
10792 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10793 			/* write into map value */
10794 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10795 			BPF_EXIT_INSN(),
10796 		},
10797 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10798 		.fixup_map1 = { 12, 22 },
10799 		.result = REJECT,
10800 		.errstr = "R0 invalid mem access 'inv'",
10801 	},
10802 	{
10803 		"calls: pkt_ptr spill into caller stack",
10804 		.insns = {
10805 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10807 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10808 			BPF_EXIT_INSN(),
10809 
10810 			/* subprog 1 */
10811 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10812 				    offsetof(struct __sk_buff, data)),
10813 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10814 				    offsetof(struct __sk_buff, data_end)),
10815 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10816 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10817 			/* spill unchecked pkt_ptr into stack of caller */
10818 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10819 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10820 			/* now the pkt range is verified, read pkt_ptr from stack */
10821 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10822 			/* write 4 bytes into packet */
10823 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10824 			BPF_EXIT_INSN(),
10825 		},
10826 		.result = ACCEPT,
10827 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10828 		.retval = POINTER_VALUE,
10829 	},
10830 	{
10831 		"calls: pkt_ptr spill into caller stack 2",
10832 		.insns = {
10833 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10834 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10835 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10836 			/* Marking is still kept, but not in all cases safe. */
10837 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10838 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10839 			BPF_EXIT_INSN(),
10840 
10841 			/* subprog 1 */
10842 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10843 				    offsetof(struct __sk_buff, data)),
10844 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10845 				    offsetof(struct __sk_buff, data_end)),
10846 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10848 			/* spill unchecked pkt_ptr into stack of caller */
10849 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10850 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10851 			/* now the pkt range is verified, read pkt_ptr from stack */
10852 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10853 			/* write 4 bytes into packet */
10854 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10855 			BPF_EXIT_INSN(),
10856 		},
10857 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10858 		.errstr = "invalid access to packet",
10859 		.result = REJECT,
10860 	},
10861 	{
10862 		"calls: pkt_ptr spill into caller stack 3",
10863 		.insns = {
10864 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10866 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10867 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10868 			/* Marking is still kept and safe here. */
10869 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10870 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10871 			BPF_EXIT_INSN(),
10872 
10873 			/* subprog 1 */
10874 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10875 				    offsetof(struct __sk_buff, data)),
10876 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10877 				    offsetof(struct __sk_buff, data_end)),
10878 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10880 			/* spill unchecked pkt_ptr into stack of caller */
10881 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10882 			BPF_MOV64_IMM(BPF_REG_5, 0),
10883 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10884 			BPF_MOV64_IMM(BPF_REG_5, 1),
10885 			/* now the pkt range is verified, read pkt_ptr from stack */
10886 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10887 			/* write 4 bytes into packet */
10888 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10889 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10890 			BPF_EXIT_INSN(),
10891 		},
10892 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10893 		.result = ACCEPT,
10894 		.retval = 1,
10895 	},
10896 	{
10897 		"calls: pkt_ptr spill into caller stack 4",
10898 		.insns = {
10899 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10901 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10902 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10903 			/* Check marking propagated. */
10904 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10905 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10906 			BPF_EXIT_INSN(),
10907 
10908 			/* subprog 1 */
10909 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10910 				    offsetof(struct __sk_buff, data)),
10911 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10912 				    offsetof(struct __sk_buff, data_end)),
10913 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10915 			/* spill unchecked pkt_ptr into stack of caller */
10916 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10917 			BPF_MOV64_IMM(BPF_REG_5, 0),
10918 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10919 			BPF_MOV64_IMM(BPF_REG_5, 1),
10920 			/* don't read back pkt_ptr from stack here */
10921 			/* write 4 bytes into packet */
10922 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10923 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10924 			BPF_EXIT_INSN(),
10925 		},
10926 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10927 		.result = ACCEPT,
10928 		.retval = 1,
10929 	},
10930 	{
10931 		"calls: pkt_ptr spill into caller stack 5",
10932 		.insns = {
10933 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10935 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
10936 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10937 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10938 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10939 			BPF_EXIT_INSN(),
10940 
10941 			/* subprog 1 */
10942 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10943 				    offsetof(struct __sk_buff, data)),
10944 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10945 				    offsetof(struct __sk_buff, data_end)),
10946 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10948 			BPF_MOV64_IMM(BPF_REG_5, 0),
10949 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10950 			/* spill checked pkt_ptr into stack of caller */
10951 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10952 			BPF_MOV64_IMM(BPF_REG_5, 1),
10953 			/* don't read back pkt_ptr from stack here */
10954 			/* write 4 bytes into packet */
10955 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10956 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10957 			BPF_EXIT_INSN(),
10958 		},
10959 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10960 		.errstr = "same insn cannot be used with different",
10961 		.result = REJECT,
10962 	},
10963 	{
10964 		"calls: pkt_ptr spill into caller stack 6",
10965 		.insns = {
10966 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10967 				    offsetof(struct __sk_buff, data_end)),
10968 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10969 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10970 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10971 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10972 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10973 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10974 			BPF_EXIT_INSN(),
10975 
10976 			/* subprog 1 */
10977 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10978 				    offsetof(struct __sk_buff, data)),
10979 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10980 				    offsetof(struct __sk_buff, data_end)),
10981 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10982 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10983 			BPF_MOV64_IMM(BPF_REG_5, 0),
10984 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10985 			/* spill checked pkt_ptr into stack of caller */
10986 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10987 			BPF_MOV64_IMM(BPF_REG_5, 1),
10988 			/* don't read back pkt_ptr from stack here */
10989 			/* write 4 bytes into packet */
10990 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10991 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10992 			BPF_EXIT_INSN(),
10993 		},
10994 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10995 		.errstr = "R4 invalid mem access",
10996 		.result = REJECT,
10997 	},
10998 	{
10999 		"calls: pkt_ptr spill into caller stack 7",
11000 		.insns = {
11001 			BPF_MOV64_IMM(BPF_REG_2, 0),
11002 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11004 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11005 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11006 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11007 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11008 			BPF_EXIT_INSN(),
11009 
11010 			/* subprog 1 */
11011 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11012 				    offsetof(struct __sk_buff, data)),
11013 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11014 				    offsetof(struct __sk_buff, data_end)),
11015 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11016 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11017 			BPF_MOV64_IMM(BPF_REG_5, 0),
11018 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11019 			/* spill checked pkt_ptr into stack of caller */
11020 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11021 			BPF_MOV64_IMM(BPF_REG_5, 1),
11022 			/* don't read back pkt_ptr from stack here */
11023 			/* write 4 bytes into packet */
11024 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11025 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11026 			BPF_EXIT_INSN(),
11027 		},
11028 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11029 		.errstr = "R4 invalid mem access",
11030 		.result = REJECT,
11031 	},
11032 	{
11033 		"calls: pkt_ptr spill into caller stack 8",
11034 		.insns = {
11035 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11036 				    offsetof(struct __sk_buff, data)),
11037 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11038 				    offsetof(struct __sk_buff, data_end)),
11039 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11040 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11041 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11042 			BPF_EXIT_INSN(),
11043 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11045 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11047 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11048 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11049 			BPF_EXIT_INSN(),
11050 
11051 			/* subprog 1 */
11052 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11053 				    offsetof(struct __sk_buff, data)),
11054 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11055 				    offsetof(struct __sk_buff, data_end)),
11056 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11058 			BPF_MOV64_IMM(BPF_REG_5, 0),
11059 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11060 			/* spill checked pkt_ptr into stack of caller */
11061 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11062 			BPF_MOV64_IMM(BPF_REG_5, 1),
11063 			/* don't read back pkt_ptr from stack here */
11064 			/* write 4 bytes into packet */
11065 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11066 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11067 			BPF_EXIT_INSN(),
11068 		},
11069 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11070 		.result = ACCEPT,
11071 	},
11072 	{
11073 		"calls: pkt_ptr spill into caller stack 9",
11074 		.insns = {
11075 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11076 				    offsetof(struct __sk_buff, data)),
11077 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11078 				    offsetof(struct __sk_buff, data_end)),
11079 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11080 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11081 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11082 			BPF_EXIT_INSN(),
11083 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11085 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11087 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11088 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11089 			BPF_EXIT_INSN(),
11090 
11091 			/* subprog 1 */
11092 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11093 				    offsetof(struct __sk_buff, data)),
11094 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11095 				    offsetof(struct __sk_buff, data_end)),
11096 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11097 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11098 			BPF_MOV64_IMM(BPF_REG_5, 0),
11099 			/* spill unchecked pkt_ptr into stack of caller */
11100 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11101 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11102 			BPF_MOV64_IMM(BPF_REG_5, 1),
11103 			/* don't read back pkt_ptr from stack here */
11104 			/* write 4 bytes into packet */
11105 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11106 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11107 			BPF_EXIT_INSN(),
11108 		},
11109 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11110 		.errstr = "invalid access to packet",
11111 		.result = REJECT,
11112 	},
11113 	{
11114 		"calls: caller stack init to zero or map_value_or_null",
11115 		.insns = {
11116 			BPF_MOV64_IMM(BPF_REG_0, 0),
11117 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11118 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11119 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11120 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11121 			/* fetch map_value_or_null or const_zero from stack */
11122 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11123 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11124 			/* store into map_value */
11125 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11126 			BPF_EXIT_INSN(),
11127 
11128 			/* subprog 1 */
11129 			/* if (ctx == 0) return; */
11130 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11131 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
11132 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11133 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11134 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11135 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11136 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11137 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11138 				     BPF_FUNC_map_lookup_elem),
11139 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11140 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11141 			BPF_EXIT_INSN(),
11142 		},
11143 		.fixup_map1 = { 13 },
11144 		.result = ACCEPT,
11145 		.prog_type = BPF_PROG_TYPE_XDP,
11146 	},
11147 	{
11148 		"calls: stack init to zero and pruning",
11149 		.insns = {
11150 			/* first make allocated_stack 16 byte */
11151 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11152 			/* now fork the execution such that the false branch
11153 			 * of JGT insn will be verified second and it skisp zero
11154 			 * init of fp-8 stack slot. If stack liveness marking
11155 			 * is missing live_read marks from call map_lookup
11156 			 * processing then pruning will incorrectly assume
11157 			 * that fp-8 stack slot was unused in the fall-through
11158 			 * branch and will accept the program incorrectly
11159 			 */
11160 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11161 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11162 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11165 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11166 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11167 				     BPF_FUNC_map_lookup_elem),
11168 			BPF_EXIT_INSN(),
11169 		},
11170 		.fixup_map2 = { 6 },
11171 		.errstr = "invalid indirect read from stack off -8+0 size 8",
11172 		.result = REJECT,
11173 		.prog_type = BPF_PROG_TYPE_XDP,
11174 	},
11175 	{
11176 		"search pruning: all branches should be verified (nop operation)",
11177 		.insns = {
11178 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11179 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11180 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11181 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11182 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11183 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11184 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11185 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11186 			BPF_MOV64_IMM(BPF_REG_4, 0),
11187 			BPF_JMP_A(1),
11188 			BPF_MOV64_IMM(BPF_REG_4, 1),
11189 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11190 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11191 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11192 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11193 			BPF_MOV64_IMM(BPF_REG_6, 0),
11194 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11195 			BPF_EXIT_INSN(),
11196 		},
11197 		.fixup_map1 = { 3 },
11198 		.errstr = "R6 invalid mem access 'inv'",
11199 		.result = REJECT,
11200 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11201 	},
11202 	{
11203 		"search pruning: all branches should be verified (invalid stack access)",
11204 		.insns = {
11205 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11207 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11208 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11209 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11211 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11212 			BPF_MOV64_IMM(BPF_REG_4, 0),
11213 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11214 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11215 			BPF_JMP_A(1),
11216 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11217 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11218 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11219 			BPF_EXIT_INSN(),
11220 		},
11221 		.fixup_map1 = { 3 },
11222 		.errstr = "invalid read from stack off -16+0 size 8",
11223 		.result = REJECT,
11224 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11225 	},
11226 	{
11227 		"jit: lsh, rsh, arsh by 1",
11228 		.insns = {
11229 			BPF_MOV64_IMM(BPF_REG_0, 1),
11230 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
11231 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11232 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11234 			BPF_EXIT_INSN(),
11235 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11236 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11238 			BPF_EXIT_INSN(),
11239 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11240 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11241 			BPF_EXIT_INSN(),
11242 			BPF_MOV64_IMM(BPF_REG_0, 2),
11243 			BPF_EXIT_INSN(),
11244 		},
11245 		.result = ACCEPT,
11246 		.retval = 2,
11247 	},
11248 	{
11249 		"jit: mov32 for ldimm64, 1",
11250 		.insns = {
11251 			BPF_MOV64_IMM(BPF_REG_0, 2),
11252 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11253 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11254 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11255 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11256 			BPF_MOV64_IMM(BPF_REG_0, 1),
11257 			BPF_EXIT_INSN(),
11258 		},
11259 		.result = ACCEPT,
11260 		.retval = 2,
11261 	},
11262 	{
11263 		"jit: mov32 for ldimm64, 2",
11264 		.insns = {
11265 			BPF_MOV64_IMM(BPF_REG_0, 1),
11266 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11267 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11268 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11269 			BPF_MOV64_IMM(BPF_REG_0, 2),
11270 			BPF_EXIT_INSN(),
11271 		},
11272 		.result = ACCEPT,
11273 		.retval = 2,
11274 	},
11275 	{
11276 		"jit: various mul tests",
11277 		.insns = {
11278 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11279 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11280 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11281 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11282 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11283 			BPF_MOV64_IMM(BPF_REG_0, 1),
11284 			BPF_EXIT_INSN(),
11285 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11286 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11287 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11288 			BPF_MOV64_IMM(BPF_REG_0, 1),
11289 			BPF_EXIT_INSN(),
11290 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11291 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11292 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11293 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11294 			BPF_MOV64_IMM(BPF_REG_0, 1),
11295 			BPF_EXIT_INSN(),
11296 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11297 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11298 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11299 			BPF_MOV64_IMM(BPF_REG_0, 1),
11300 			BPF_EXIT_INSN(),
11301 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11302 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11303 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11304 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11305 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11306 			BPF_MOV64_IMM(BPF_REG_0, 1),
11307 			BPF_EXIT_INSN(),
11308 			BPF_MOV64_IMM(BPF_REG_0, 2),
11309 			BPF_EXIT_INSN(),
11310 		},
11311 		.result = ACCEPT,
11312 		.retval = 2,
11313 	},
11314 
11315 };
11316 
11317 static int probe_filter_length(const struct bpf_insn *fp)
11318 {
11319 	int len;
11320 
11321 	for (len = MAX_INSNS - 1; len > 0; --len)
11322 		if (fp[len].code != 0 || fp[len].imm != 0)
11323 			break;
11324 	return len + 1;
11325 }
11326 
11327 static int create_map(uint32_t size_value, uint32_t max_elem)
11328 {
11329 	int fd;
11330 
11331 	fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
11332 			    size_value, max_elem, BPF_F_NO_PREALLOC);
11333 	if (fd < 0)
11334 		printf("Failed to create hash map '%s'!\n", strerror(errno));
11335 
11336 	return fd;
11337 }
11338 
11339 static int create_prog_dummy1(void)
11340 {
11341 	struct bpf_insn prog[] = {
11342 		BPF_MOV64_IMM(BPF_REG_0, 42),
11343 		BPF_EXIT_INSN(),
11344 	};
11345 
11346 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11347 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11348 }
11349 
11350 static int create_prog_dummy2(int mfd, int idx)
11351 {
11352 	struct bpf_insn prog[] = {
11353 		BPF_MOV64_IMM(BPF_REG_3, idx),
11354 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
11355 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11356 			     BPF_FUNC_tail_call),
11357 		BPF_MOV64_IMM(BPF_REG_0, 41),
11358 		BPF_EXIT_INSN(),
11359 	};
11360 
11361 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11362 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11363 }
11364 
11365 static int create_prog_array(void)
11366 {
11367 	int p1key = 0, p2key = 1;
11368 	int mfd, p1fd, p2fd;
11369 
11370 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
11371 			     sizeof(int), 4, 0);
11372 	if (mfd < 0) {
11373 		printf("Failed to create prog array '%s'!\n", strerror(errno));
11374 		return -1;
11375 	}
11376 
11377 	p1fd = create_prog_dummy1();
11378 	p2fd = create_prog_dummy2(mfd, p2key);
11379 	if (p1fd < 0 || p2fd < 0)
11380 		goto out;
11381 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
11382 		goto out;
11383 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
11384 		goto out;
11385 	close(p2fd);
11386 	close(p1fd);
11387 
11388 	return mfd;
11389 out:
11390 	close(p2fd);
11391 	close(p1fd);
11392 	close(mfd);
11393 	return -1;
11394 }
11395 
11396 static int create_map_in_map(void)
11397 {
11398 	int inner_map_fd, outer_map_fd;
11399 
11400 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
11401 				      sizeof(int), 1, 0);
11402 	if (inner_map_fd < 0) {
11403 		printf("Failed to create array '%s'!\n", strerror(errno));
11404 		return inner_map_fd;
11405 	}
11406 
11407 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
11408 					     sizeof(int), inner_map_fd, 1, 0);
11409 	if (outer_map_fd < 0)
11410 		printf("Failed to create array of maps '%s'!\n",
11411 		       strerror(errno));
11412 
11413 	close(inner_map_fd);
11414 
11415 	return outer_map_fd;
11416 }
11417 
11418 static char bpf_vlog[32768];
11419 
11420 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
11421 			  int *map_fds)
11422 {
11423 	int *fixup_map1 = test->fixup_map1;
11424 	int *fixup_map2 = test->fixup_map2;
11425 	int *fixup_prog = test->fixup_prog;
11426 	int *fixup_map_in_map = test->fixup_map_in_map;
11427 
11428 	/* Allocating HTs with 1 elem is fine here, since we only test
11429 	 * for verifier and not do a runtime lookup, so the only thing
11430 	 * that really matters is value size in this case.
11431 	 */
11432 	if (*fixup_map1) {
11433 		map_fds[0] = create_map(sizeof(long long), 1);
11434 		do {
11435 			prog[*fixup_map1].imm = map_fds[0];
11436 			fixup_map1++;
11437 		} while (*fixup_map1);
11438 	}
11439 
11440 	if (*fixup_map2) {
11441 		map_fds[1] = create_map(sizeof(struct test_val), 1);
11442 		do {
11443 			prog[*fixup_map2].imm = map_fds[1];
11444 			fixup_map2++;
11445 		} while (*fixup_map2);
11446 	}
11447 
11448 	if (*fixup_prog) {
11449 		map_fds[2] = create_prog_array();
11450 		do {
11451 			prog[*fixup_prog].imm = map_fds[2];
11452 			fixup_prog++;
11453 		} while (*fixup_prog);
11454 	}
11455 
11456 	if (*fixup_map_in_map) {
11457 		map_fds[3] = create_map_in_map();
11458 		do {
11459 			prog[*fixup_map_in_map].imm = map_fds[3];
11460 			fixup_map_in_map++;
11461 		} while (*fixup_map_in_map);
11462 	}
11463 }
11464 
11465 static void do_test_single(struct bpf_test *test, bool unpriv,
11466 			   int *passes, int *errors)
11467 {
11468 	int fd_prog, expected_ret, reject_from_alignment;
11469 	struct bpf_insn *prog = test->insns;
11470 	int prog_len = probe_filter_length(prog);
11471 	char data_in[TEST_DATA_LEN] = {};
11472 	int prog_type = test->prog_type;
11473 	int map_fds[MAX_NR_MAPS];
11474 	const char *expected_err;
11475 	uint32_t retval;
11476 	int i, err;
11477 
11478 	for (i = 0; i < MAX_NR_MAPS; i++)
11479 		map_fds[i] = -1;
11480 
11481 	do_test_fixup(test, prog, map_fds);
11482 
11483 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
11484 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
11485 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
11486 
11487 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
11488 		       test->result_unpriv : test->result;
11489 	expected_err = unpriv && test->errstr_unpriv ?
11490 		       test->errstr_unpriv : test->errstr;
11491 
11492 	reject_from_alignment = fd_prog < 0 &&
11493 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
11494 				strstr(bpf_vlog, "Unknown alignment.");
11495 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
11496 	if (reject_from_alignment) {
11497 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
11498 		       strerror(errno));
11499 		goto fail_log;
11500 	}
11501 #endif
11502 	if (expected_ret == ACCEPT) {
11503 		if (fd_prog < 0 && !reject_from_alignment) {
11504 			printf("FAIL\nFailed to load prog '%s'!\n",
11505 			       strerror(errno));
11506 			goto fail_log;
11507 		}
11508 	} else {
11509 		if (fd_prog >= 0) {
11510 			printf("FAIL\nUnexpected success to load!\n");
11511 			goto fail_log;
11512 		}
11513 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
11514 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
11515 			      expected_err, bpf_vlog);
11516 			goto fail_log;
11517 		}
11518 	}
11519 
11520 	if (fd_prog >= 0) {
11521 		err = bpf_prog_test_run(fd_prog, 1, data_in, sizeof(data_in),
11522 					NULL, NULL, &retval, NULL);
11523 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
11524 			printf("Unexpected bpf_prog_test_run error\n");
11525 			goto fail_log;
11526 		}
11527 		if (!err && retval != test->retval &&
11528 		    test->retval != POINTER_VALUE) {
11529 			printf("FAIL retval %d != %d\n", retval, test->retval);
11530 			goto fail_log;
11531 		}
11532 	}
11533 	(*passes)++;
11534 	printf("OK%s\n", reject_from_alignment ?
11535 	       " (NOTE: reject due to unknown alignment)" : "");
11536 close_fds:
11537 	close(fd_prog);
11538 	for (i = 0; i < MAX_NR_MAPS; i++)
11539 		close(map_fds[i]);
11540 	sched_yield();
11541 	return;
11542 fail_log:
11543 	(*errors)++;
11544 	printf("%s", bpf_vlog);
11545 	goto close_fds;
11546 }
11547 
11548 static bool is_admin(void)
11549 {
11550 	cap_t caps;
11551 	cap_flag_value_t sysadmin = CAP_CLEAR;
11552 	const cap_value_t cap_val = CAP_SYS_ADMIN;
11553 
11554 #ifdef CAP_IS_SUPPORTED
11555 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
11556 		perror("cap_get_flag");
11557 		return false;
11558 	}
11559 #endif
11560 	caps = cap_get_proc();
11561 	if (!caps) {
11562 		perror("cap_get_proc");
11563 		return false;
11564 	}
11565 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
11566 		perror("cap_get_flag");
11567 	if (cap_free(caps))
11568 		perror("cap_free");
11569 	return (sysadmin == CAP_SET);
11570 }
11571 
11572 static int set_admin(bool admin)
11573 {
11574 	cap_t caps;
11575 	const cap_value_t cap_val = CAP_SYS_ADMIN;
11576 	int ret = -1;
11577 
11578 	caps = cap_get_proc();
11579 	if (!caps) {
11580 		perror("cap_get_proc");
11581 		return -1;
11582 	}
11583 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
11584 				admin ? CAP_SET : CAP_CLEAR)) {
11585 		perror("cap_set_flag");
11586 		goto out;
11587 	}
11588 	if (cap_set_proc(caps)) {
11589 		perror("cap_set_proc");
11590 		goto out;
11591 	}
11592 	ret = 0;
11593 out:
11594 	if (cap_free(caps))
11595 		perror("cap_free");
11596 	return ret;
11597 }
11598 
11599 static void get_unpriv_disabled()
11600 {
11601 	char buf[2];
11602 	FILE *fd;
11603 
11604 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
11605 	if (fgets(buf, 2, fd) == buf && atoi(buf))
11606 		unpriv_disabled = true;
11607 	fclose(fd);
11608 }
11609 
11610 static int do_test(bool unpriv, unsigned int from, unsigned int to)
11611 {
11612 	int i, passes = 0, errors = 0, skips = 0;
11613 
11614 	for (i = from; i < to; i++) {
11615 		struct bpf_test *test = &tests[i];
11616 
11617 		/* Program types that are not supported by non-root we
11618 		 * skip right away.
11619 		 */
11620 		if (!test->prog_type && unpriv_disabled) {
11621 			printf("#%d/u %s SKIP\n", i, test->descr);
11622 			skips++;
11623 		} else if (!test->prog_type) {
11624 			if (!unpriv)
11625 				set_admin(false);
11626 			printf("#%d/u %s ", i, test->descr);
11627 			do_test_single(test, true, &passes, &errors);
11628 			if (!unpriv)
11629 				set_admin(true);
11630 		}
11631 
11632 		if (unpriv) {
11633 			printf("#%d/p %s SKIP\n", i, test->descr);
11634 			skips++;
11635 		} else {
11636 			printf("#%d/p %s ", i, test->descr);
11637 			do_test_single(test, false, &passes, &errors);
11638 		}
11639 	}
11640 
11641 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
11642 	       skips, errors);
11643 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
11644 }
11645 
11646 int main(int argc, char **argv)
11647 {
11648 	unsigned int from = 0, to = ARRAY_SIZE(tests);
11649 	bool unpriv = !is_admin();
11650 
11651 	if (argc == 3) {
11652 		unsigned int l = atoi(argv[argc - 2]);
11653 		unsigned int u = atoi(argv[argc - 1]);
11654 
11655 		if (l < to && u < to) {
11656 			from = l;
11657 			to   = u + 1;
11658 		}
11659 	} else if (argc == 2) {
11660 		unsigned int t = atoi(argv[argc - 1]);
11661 
11662 		if (t < to) {
11663 			from = t;
11664 			to   = t + 1;
11665 		}
11666 	}
11667 
11668 	get_unpriv_disabled();
11669 	if (unpriv && unpriv_disabled) {
11670 		printf("Cannot run as unprivileged user with sysctl %s.\n",
11671 		       UNPRIV_SYSCTL);
11672 		return EXIT_FAILURE;
11673 	}
11674 
11675 	return do_test(unpriv, from, to);
11676 }
11677